From 2f0869ad74741d47c2748d8962710675072bc90b Mon Sep 17 00:00:00 2001 From: Souhardya Sardar <24700571+Souhardya@users.noreply.github.com> Date: Thu, 30 Dec 2021 07:50:24 +0530 Subject: [PATCH] Add files via upload --- ...Dispatch_NTDLL_NtQueryMultipleValueKey.cpp | 88 ++++ .../Dispatch_NTDLL_NtQueryMultipleValueKey.h | 45 ++ HookPorts/Dispatch_NTDLL_NtQueryObject.cpp | 115 +++++ HookPorts/Dispatch_NTDLL_NtQueryObject.h | 42 ++ ...ispatch_NTDLL_NtQuerySystemInformation.cpp | 159 +++++++ .../Dispatch_NTDLL_NtQuerySystemInformation.h | 175 ++++++++ HookPorts/Dispatch_NTDLL_NtQueryValueKey.cpp | 164 +++++++ HookPorts/Dispatch_NTDLL_NtQueryValueKey.h | 39 ++ HookPorts/Dispatch_NTDLL_NtReadFile.cpp | 199 +++++++++ HookPorts/Dispatch_NTDLL_NtReadFile.h | 56 +++ HookPorts/Dispatch_NTDLL_NtRenameKey.cpp | 72 ++++ HookPorts/Dispatch_NTDLL_NtRenameKey.h | 26 ++ HookPorts/Dispatch_NTDLL_NtResumeThread.cpp | 152 +++++++ HookPorts/Dispatch_NTDLL_NtResumeThread.h | 57 +++ HookPorts/Dispatch_NTDLL_NtSaveKey.cpp | 72 ++++ HookPorts/Dispatch_NTDLL_NtSaveKey.h | 23 + .../Dispatch_NTDLL_NtSecureConnectPort.cpp | 100 +++++ .../Dispatch_NTDLL_NtSecureConnectPort.h | 74 ++++ .../Dispatch_NTDLL_NtSetInformationFile.cpp | 400 ++++++++++++++++++ .../Dispatch_NTDLL_NtSetInformationFile.h | 32 ++ .../Dispatch_NTDLL_NtSetInformationToken.cpp | 80 ++++ .../Dispatch_NTDLL_NtSetInformationToken.h | 29 ++ .../Dispatch_NTDLL_NtSetSecurityObject.cpp | 76 ++++ .../Dispatch_NTDLL_NtSetSecurityObject.h | 29 ++ .../Dispatch_NTDLL_NtSetSystemInformation.cpp | 82 ++++ .../Dispatch_NTDLL_NtSetSystemInformation.h | 26 ++ HookPorts/Dispatch_NTDLL_NtSetValueKey.cpp | 165 ++++++++ HookPorts/Dispatch_NTDLL_NtSetValueKey.h | 35 ++ .../Dispatch_NTDLL_NtSystemDebugControl.cpp | 285 +++++++++++++ .../Dispatch_NTDLL_NtSystemDebugControl.h | 75 ++++ HookPorts/Dispatch_NTDLL_NtWriteFile.cpp | 267 ++++++++++++ HookPorts/Dispatch_NTDLL_NtWriteFile.h | 44 ++ .../Dispatch_NTDLL_NtWriteVirtualMemory.cpp | 80 ++++ .../Dispatch_NTDLL_NtWriteVirtualMemory.h | 29 ++ 34 files changed, 3392 insertions(+) create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryObject.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryObject.h create mode 100644 HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.h create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryValueKey.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtQueryValueKey.h create mode 100644 HookPorts/Dispatch_NTDLL_NtReadFile.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtReadFile.h create mode 100644 HookPorts/Dispatch_NTDLL_NtRenameKey.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtRenameKey.h create mode 100644 HookPorts/Dispatch_NTDLL_NtResumeThread.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtResumeThread.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSaveKey.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSaveKey.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSecureConnectPort.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSecureConnectPort.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSetInformationFile.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSetInformationFile.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSetInformationToken.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSetInformationToken.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSetSecurityObject.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSetSecurityObject.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSetSystemInformation.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSetSystemInformation.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSetValueKey.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSetValueKey.h create mode 100644 HookPorts/Dispatch_NTDLL_NtSystemDebugControl.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtSystemDebugControl.h create mode 100644 HookPorts/Dispatch_NTDLL_NtWriteFile.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtWriteFile.h create mode 100644 HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.cpp create mode 100644 HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.h diff --git a/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp new file mode 100644 index 0000000..d4b0acd --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.cpp @@ -0,0 +1,88 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtQueryMultipleValueKey.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtQueryMultipleValueKey pfnNtQueryMultipleValueKey = NULL; + + + +// +//Dispatch_NTDLL_NtQueryMultipleValueKey Functions +// +NTSTATUS +NTAPI +OnNtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, + IN ULONG NumberOfValues, + OUT PVOID DataBuffer, + IN OUT ULONG BufferLength, + OUT PULONG RequiredLength OPTIONAL + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtQueryMultipleValueKey( + KeyHandle, + ValuesList, + NumberOfValues, + DataBuffer, + BufferLength, + RequiredLength + ); + + return nRet; + } + + nRet = pfnNtQueryMultipleValueKey( + KeyHandle, + ValuesList, + NumberOfValues, + DataBuffer, + BufferLength, + RequiredLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, + IN ULONG NumberOfValues, + OUT PVOID DataBuffer, + IN OUT ULONG BufferLength, + OUT PULONG RequiredLength OPTIONAL + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtQueryMultipleValueKey addFun = (__pfnNtQueryMultipleValueKey)GetProcAddress(hDll,"NtQueryMultipleValueKey"); + if(addFun) + { + ret = addFun(KeyHandle,ValuesList,NumberOfValues,DataBuffer,BufferLength,RequiredLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h new file mode 100644 index 0000000..223d611 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryMultipleValueKey.h @@ -0,0 +1,45 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtEnumerateKey.h" +#include "./Dispatch_NTDLL_NtCreateThread.h" + +typedef struct _KEY_MULTIPLE_VALUE_INFORMATION { + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_MULTIPLE_VALUE_INFORMATION, *PKEY_MULTIPLE_VALUE_INFORMATION; + +typedef NTSTATUS (NTAPI * __pfnNtQueryMultipleValueKey) +( + IN HANDLE KeyHandle, + IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, + IN ULONG NumberOfValues, + OUT PVOID DataBuffer, + IN OUT ULONG BufferLength, + OUT PULONG RequiredLength OPTIONAL + ); + +extern __pfnNtQueryMultipleValueKey pfnNtQueryMultipleValueKey; + +NTSTATUS +NTAPI +OnNtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, + IN ULONG NumberOfValues, + OUT PVOID DataBuffer, + IN OUT ULONG BufferLength, + OUT PULONG RequiredLength OPTIONAL + ); + +NTSTATUS +NTAPI +NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_MULTIPLE_VALUE_INFORMATION ValuesList, + IN ULONG NumberOfValues, + OUT PVOID DataBuffer, + IN OUT ULONG BufferLength, + OUT PULONG RequiredLength OPTIONAL + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQueryObject.cpp b/HookPorts/Dispatch_NTDLL_NtQueryObject.cpp new file mode 100644 index 0000000..1df4952 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryObject.cpp @@ -0,0 +1,115 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtQueryObject.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./GetProcAddressEx.h" +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtQueryInformationFile.h" + + + +// +//Global +// +__pfnNtQueryObject pfnNtQueryObject = NULL; + + + +// +//Dispatch_NTDLL_NtQueryObject Functions +// +NTSTATUS +NTAPI +OnNtQueryObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtQueryObject( + ObjectHandle, + ObjectInformationClass, + ObjectInformation, + Length, + ResultLength + ); + + return nRet; + } + + nRet = pfnNtQueryObject( + ObjectHandle, + ObjectInformationClass, + ObjectInformation, + Length, + ResultLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtQueryObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtQueryObject addFun = (__pfnNtQueryObject)GetProcAddress(hDll,"NtQueryObject"); + if(addFun) + { + ret = addFun(ObjectHandle,ObjectInformationClass,ObjectInformation,Length,ResultLength); + } + return ret; +} + +int QueryNameInfoByNtQueryObject( IN HANDLE ObjectHandle, OUT WCHAR * lpszNameInfo ) +{ + //Return Value: + //-1 = error + //0 = succeed + int iRet = -1; + + // + //Query info by call NtQueryObject + // + ULONG uResultLength = 0; + POBJECT_NAME_INFORMATION pNameInfo = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x1000); + + NTSTATUS nStatusQueryObject; + nStatusQueryObject = NtQueryObject(ObjectHandle, ObjectNameInformation, pNameInfo, 0x1000, &uResultLength); + DWORD iQueryCount = 1; + while( nStatusQueryObject == STATUS_INFO_LENGTH_MISMATCH ) + { + pNameInfo = (POBJECT_NAME_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pNameInfo, 0x1000 * iQueryCount); + nStatusQueryObject = NtQueryObject(ObjectHandle, ObjectNameInformation, pNameInfo, 0x1000, NULL); + iQueryCount++; + } + if( nStatusQueryObject == STATUS_SUCCESS ) + { + lstrcpyW(lpszNameInfo,pNameInfo->Name.Buffer); + + iRet = 0; + } + HeapFree(GetProcessHeap(),0,pNameInfo); + + return iRet; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQueryObject.h b/HookPorts/Dispatch_NTDLL_NtQueryObject.h new file mode 100644 index 0000000..96a4e81 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryObject.h @@ -0,0 +1,42 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtQueryInformationFile.h" + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllInformation, + ObjectDataInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef NTSTATUS (NTAPI * __pfnNtQueryObject) +( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength); + +extern __pfnNtQueryObject pfnNtQueryObject; + +NTSTATUS +NTAPI +OnNtQueryObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength); + +NTSTATUS +NTAPI +NtQueryObject( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength); + +int QueryNameInfoByNtQueryObject( IN HANDLE ObjectHandle, OUT WCHAR * lpszNameInfo ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.cpp b/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.cpp new file mode 100644 index 0000000..02f7071 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.cpp @@ -0,0 +1,159 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtQuerySystemInformation.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtQuerySystemInformation pfnNtQuerySystemInformation = NULL; + + + +// +//Dispatch_NTDLL_NtQuerySystemInformation Functions +// +NTSTATUS +NTAPI +OnNtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtQuerySystemInformation( + SystemInformationClass, + SystemInformation, + SystemInformationLength, + ReturnLength + ); + + return nRet; + } + + nRet = pfnNtQuerySystemInformation( + SystemInformationClass, + SystemInformation, + SystemInformationLength, + ReturnLength + ); + + // + //Check if is succeed + // + if( nRet < 0 ) + { + return nRet; + } + + // + //Check if is a process request + // + if( SystemInformationClass != SystemProcessesAndThreadsInformation ) + { + return nRet; + } + + // + //Fake the data + // + int NbProcessToHide = 2; + int ProcessToHide[2]; + ProcessToHide[0] = 4; + ProcessToHide[1] = 888; + + PSYSTEM_PROCESS_INFORMATION Curr = NULL; + PSYSTEM_PROCESS_INFORMATION Prev = NULL; + + for(int i=0; iProcessName.Buffer != NULL ) + { + if( Curr->ProcessId== ProcessToHide[i] ) + { + if( Prev ) + { + //There was a process before + if(Curr->NextEntryDelta)//If there is a process after + { + //Previous process leads to next + Prev->NextEntryDelta += Curr->NextEntryDelta; + } + else + { + //Previous process is the last one + Prev->NextEntryDelta=0; + } + break; + }//Prev + else + { + //Is first process + if(Curr->NextEntryDelta) // if there is a process after it + { + //First process becomes this one + *(PBYTE)SystemInformation += Curr->NextEntryDelta; + } + else + { + // no process + SystemInformation = NULL; + } + break; + } + }//Curr->ProcessId + }//Curr->ProcessName + + if(!Curr->NextEntryDelta) + { + break; + } + + //Not a process to hide, prev ptr go to this process + Prev = Curr; + + //Curr go to next process + Curr = (PSYSTEM_PROCESS_INFORMATION)((PBYTE)Curr + Curr->NextEntryDelta); + }//while + }//for + + return nRet; +} + +NTSTATUS +NTAPI +NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL ) +{ + NTSTATUS ret = 0; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtQuerySystemInformation addFun = (__pfnNtQuerySystemInformation)GetProcAddressEx(hDll,"NtQuerySystemInformation"); + if(addFun) + { + ret = addFun(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.h b/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.h new file mode 100644 index 0000000..d64c944 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQuerySystemInformation.h @@ -0,0 +1,175 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation, + SystemProcessorInformation, + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemNotImplemented1, + SystemProcessesAndThreadsInformation, + SystemCallCounts, + SystemConfigurationInformation, + SystemProcessorTimes, + SystemGloballFlag, + SystemNotImplemented2, + SystemModuleInformation, + SystemLockInformation, + SystemNotImplemented3, + SystemNotImplemented4, + SystemNotImplemented5, + SystemHandleInformation, + SystemObjectInformation, + SystemPagefileInformation, + SystemInstructionEmulationCounts, + SystemInvalidInfoClass1, + SystemCacheInformation, + SystemPoolTagInformation, + SystemProcessorStatistics, + SystemDpcInformation, + SystemNotImplemented6, + SystemLoadImage, + SystemUnloadImage, + SystemTimeAdjustment, + SystemNotImplemented7, + SystemNotImplemented8, + SystemNotImplemented9, + SystemCrashDumpInformation, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemLoadAndCallImage, + SystemPrioritySeparation, + SystemNotImplemented10, + SystemNotImplemented11, + SystemInvalidInfoClass2, + SystemInvalidInfoClass3, + SystemTimeZoneInformation, + SystemLookasideInformation, + SystemSetTimeSlipEvent, + SystemCreateSession, + SystemDeleteSession, + SystemInvalidInfoClass4, + SystemRangeStartInformation, + SystemVerifierInformation, + SystemAddVerifier, + SystemSessionProcessesInformation +} SYSTEM_INFORMATION_CLASS; + +// +// Process Virtual Memory Counters +// NtQueryInformationProcess using ProcessVmCounters +// + +typedef struct _VM_COUNTERS { + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; +} VM_COUNTERS; +typedef VM_COUNTERS *PVM_COUNTERS; + +// +// Wait reasons +// + +typedef enum _KWAIT_REASON { + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + MaximumWaitReason + } KWAIT_REASON; + +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientIs; + KPRIORITY Priority; + KPRIORITY BasePriority; + ULONG ContextSwitchCount; + ULONG ThreadState; + KWAIT_REASON WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION { + ULONG NextEntryDelta; // next process offset + ULONG ThreadCount; // thread number + ULONG Reserved1[6]; // reserved + LARGE_INTEGER CreateTime; // process creation time + LARGE_INTEGER UserTime; // user mode time of the process + LARGE_INTEGER KernelTime; // kernel mode time + UNICODE_STRING ProcessName; // process name + KPRIORITY BasePriority; // priority + ULONG ProcessId; // pid + ULONG InheritedFromProcessId; // ppid + ULONG HandleCount; // handles number + ULONG Reserved2[2]; // reserved + VM_COUNTERS VmCounters; // virtual memory counter +#if _WIN32_WINNT >= 0x500 + IO_COUNTERS IoCounters; // I/O counter (win2k) +#endif + SYSTEM_THREAD_INFORMATION Threads[1]; // process thread +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + +typedef NTSTATUS (NTAPI * __pfnNtQuerySystemInformation) +( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL ); + +extern __pfnNtQuerySystemInformation pfnNtQuerySystemInformation; + +NTSTATUS +NTAPI +OnNtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL ); + +NTSTATUS +NTAPI +NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQueryValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtQueryValueKey.cpp new file mode 100644 index 0000000..478db1a --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryValueKey.cpp @@ -0,0 +1,164 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtQueryValueKey.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./HookHelp_Reg.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + +#include "./CloneAPI_ADVAPI32.h" + + + +// +//Global +// +__pfnNtQueryValueKey pfnNtQueryValueKey = NULL; + + + +// +//Dispatch_NTDLL_NtQueryValueKey Functions +// +NTSTATUS +NTAPI +OnNtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtQueryValueKey( + KeyHandle, + ValueName, + KeyValueInformationClass, + KeyValueInformation, + Length, + ResultLength + ); + + return nRet; + } + + WCHAR szRegKrnlPath[MAX_NAME] = {NULL}; + WCHAR szDispatchRegKrnlPath[MAX_NAME] = {NULL}; + WCHAR szDispatchRegUserPath[MAX_NAME] = {NULL}; + + if( GetRegistryPathName(KeyHandle,NULL,NULL,g_szRestoreRegPath,szRegKrnlPath,szDispatchRegKrnlPath,szDispatchRegUserPath) != 0 ) + { + nRet = pfnNtQueryValueKey( + KeyHandle, + ValueName, + KeyValueInformationClass, + KeyValueInformation, + Length, + ResultLength + ); + + return nRet; + } + + // + //Check if request in SandBox + // + if( wcsnicmp(szRegKrnlPath,g_szRestoreFullRegKrnlPath,lstrlenW(g_szRestoreFullRegKrnlPath)) == 0 ) + { + nRet = pfnNtQueryValueKey( + KeyHandle, + ValueName, + KeyValueInformationClass, + KeyValueInformation, + Length, + ResultLength + ); + + return nRet; + } + +//#ifdef Dbg +// WCHAR szDebugString[2048] = {0}; +// wsprintf( +// szDebugString, +// L"szRegKrnlPath = [%s]\r\nszDispatchRegKrnlPath = [%s]\r\nszDispatchRegUserPath = [%s]\r\nszValueName = [%s]", +// szRegKrnlPath, +// szDispatchRegKrnlPath, +// szDispatchRegUserPath, +// szValueName +// ); +// DebugLog(DbgInfo,szDebugString); +//#endif + + WCHAR szValueName[MAX_NAME] = {NULL}; + lstrcpyW(szValueName,ValueName->Buffer); + + if( QueryDispatchedRegValue(szDispatchRegUserPath,szValueName) == 1 ) + { + // + //Dispatch + // + HKEY hkKey; + if( CAPI_RegOpenKeyExW(HKEY_USERS,szDispatchRegUserPath,NULL,KEY_READ,&hkKey) == ERROR_SUCCESS ) + { + nRet = pfnNtQueryValueKey( + hkKey, + ValueName, + KeyValueInformationClass, + KeyValueInformation, + Length, + ResultLength + ); + } + CAPI_RegCloseKey(hkKey); + + return nRet; + } + + nRet = pfnNtQueryValueKey( + KeyHandle, + ValueName, + KeyValueInformationClass, + KeyValueInformation, + Length, + ResultLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtQueryValueKey addFun = (__pfnNtQueryValueKey)GetProcAddress(hDll,"NtQueryValueKey"); + if(addFun) + { + ret = addFun(KeyHandle,ValueName,KeyValueInformationClass,KeyValueInformation,Length,ResultLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtQueryValueKey.h b/HookPorts/Dispatch_NTDLL_NtQueryValueKey.h new file mode 100644 index 0000000..7914ef2 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtQueryValueKey.h @@ -0,0 +1,39 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtEnumerateKey.h" +#include "./Dispatch_NTDLL_NtEnumerateValueKey.h" +#include "./Dispatch_NTDLL_NtCreateThread.h" + +typedef NTSTATUS (NTAPI * __pfnNtQueryValueKey) +( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + +extern __pfnNtQueryValueKey pfnNtQueryValueKey; + +NTSTATUS +NTAPI +OnNtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); + +NTSTATUS +NTAPI +NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation, + IN ULONG Length, + OUT PULONG ResultLength + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtReadFile.cpp b/HookPorts/Dispatch_NTDLL_NtReadFile.cpp new file mode 100644 index 0000000..30e1364 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtReadFile.cpp @@ -0,0 +1,199 @@ +#include +#include +#include + +#include "./Dispatch_NTDLL_NtReadFile.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./HookHelp_File.h" +#include "./GetProcAddressEx.h" +#include "../Config/Config.h" +#include "./Main.h" +#include "./NativeAPI_NTDLL.h" +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtCreateFile.h" +#include "./Dispatch_NTDLL_NtClose.h" + + + +// +//Global +// +__pfnNtReadFile pfnNtReadFile = NULL; + + + +// +//Dispatch_NTDLL_NtReadFile Functions +// +NTSTATUS +NTAPI +OnNtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtReadFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; + } + + //(\\??\\C:\\WINDOWS\\XXX) + WCHAR szLongNtPath[MAX_NAME] = {NULL}; + //(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX) + WCHAR szDispatchNtPath[MAX_NAME] = {NULL}; + + if( GetLongNtPathName(FileHandle,NULL,NULL,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 ) + { + nRet = pfnNtReadFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; + } + + //OutputDebugString(L"\r\nNtReadFile szLongNtPath="); + //OutputDebugString(szLongNtPath); + + // + //Check if file dispatched + // + int iFileDispatch = -1; + iFileDispatch = QueryDispatchedFile(szDispatchNtPath); + if( iFileDispatch == -1 ) + { + nRet = STATUS_UNSUCCESSFUL; + return nRet; + } + else + if( iFileDispatch == 1 ) + { + // + //Dispatch + // + + // + //Init UNICODE_STRING + // + UNICODE_STRING usNtFileName; + RtlInitUnicodeString(&usNtFileName,szDispatchNtPath); + + NTSTATUS nStatus; + HANDLE hFile = NULL; + IO_STATUS_BLOCK IoSB; + FILE_BASIC_INFORMATION stFileBasicInfo = {NULL}; + OBJECT_ATTRIBUTES oaObjAttrib; + + InitializeObjectAttributes( + &oaObjAttrib, + &usNtFileName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + + nStatus = NtCreateFile( + &hFile, + FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, + &oaObjAttrib, + &IoSB, + NULL, + FILE_ATTRIBUTE_NORMAL, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + if( nStatus == STATUS_SUCCESS ) + { + nRet = pfnNtReadFile( + hFile, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + } + + NtClose(hFile); + + return nRet; + } + + nRet = pfnNtReadFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtReadFile addFun = (__pfnNtReadFile)GetProcAddress(hDll,"NtReadFile"); + if(addFun) + { + ret = addFun(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtReadFile.h b/HookPorts/Dispatch_NTDLL_NtReadFile.h new file mode 100644 index 0000000..fb5aa15 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtReadFile.h @@ -0,0 +1,56 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtQueryInformationFile.h" + +// +// Define an Asynchronous Procedure Call from I/O viewpoint +// + +typedef +VOID +(NTAPI *PIO_APC_ROUTINE) ( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved + ); + +typedef NTSTATUS (NTAPI * __pfnNtReadFile) +( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +extern __pfnNtReadFile pfnNtReadFile; + +NTSTATUS +NTAPI +OnNtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +NTSTATUS +NTAPI +NtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtRenameKey.cpp b/HookPorts/Dispatch_NTDLL_NtRenameKey.cpp new file mode 100644 index 0000000..c15a942 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtRenameKey.cpp @@ -0,0 +1,72 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtRenameKey.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtRenameKey pfnNtRenameKey = NULL; + + + +// +//Dispatch_NTDLL_NtRenameKey Functions +// +NTSTATUS +NTAPI +OnNtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtRenameKey( + KeyHandle, + NewName + ); + + return nRet; + } + + nRet = pfnNtRenameKey( + KeyHandle, + NewName + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtRenameKey addFun = (__pfnNtRenameKey)GetProcAddress(hDll,"NtRenameKey"); + if(addFun) + { + ret = addFun(KeyHandle,NewName); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtRenameKey.h b/HookPorts/Dispatch_NTDLL_NtRenameKey.h new file mode 100644 index 0000000..fab286f --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtRenameKey.h @@ -0,0 +1,26 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtEnumerateKey.h" +#include "./Dispatch_NTDLL_NtCreateThread.h" + +typedef NTSTATUS (NTAPI * __pfnNtRenameKey) +( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ); + +extern __pfnNtRenameKey pfnNtRenameKey; + +NTSTATUS +NTAPI +OnNtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ); + +NTSTATUS +NTAPI +NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtResumeThread.cpp b/HookPorts/Dispatch_NTDLL_NtResumeThread.cpp new file mode 100644 index 0000000..4511a0b --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtResumeThread.cpp @@ -0,0 +1,152 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Dispatch_NTDLL_NtQuerySystemInformation.h" +#include "./Dispatch_NTDLL_NtQueryInformationThread.h" +#include "./Main.h" +#include "./RemoteInjection.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + +#include "./IATModifier.h" + + + +// +//Global +// +__pfnNtResumeThread pfnNtResumeThread = NULL; + + + +// +//Dispatch_NTDLL_NtResumeThread Functions +// +NTSTATUS +NTAPI +OnNtResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG SuspendCount OPTIONAL ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtResumeThread( + ThreadHandle, + SuspendCount + ); + + return nRet; + } + + // + //Query target ProcessId + // + NTSTATUS nStatus; + THREAD_BASIC_INFORMATION threadinfo; + DWORD dwProcessId = 0; + + //Query information of thread + nStatus = NtQueryInformationThread( + ThreadHandle, + ThreadBasicInformation, + (PVOID)&threadinfo, + sizeof(THREAD_BASIC_INFORMATION), + NULL); + + if(nStatus == STATUS_SUCCESS) + { + DWORD dwCurrentProcessId = 0; + dwProcessId = (DWORD)(threadinfo.ClientId.UniqueProcess); + dwCurrentProcessId = GetCurrentProcessId(); + + if( dwCurrentProcessId != dwProcessId ) + { + if( IsProcessPatched(dwProcessId,TRUE) == FALSE ) + { +#ifdef Dbg + WCHAR szDebugString[256] = {0}; + wsprintf(szDebugString,L"OnNtResumeThread dwProcessId=[%d]",dwProcessId); + DebugLog(DbgInfo,szDebugString); +#endif + + // + //Inject process + // + //int iInjection = 0; + //OBJECTCONFIG OBJCfg; + //lstrcpy(OBJCfg.szSandBoxName,g_szSandBoxName); + //AddProcessIdToProcTable(dwProcessId); + //iInjection = InjectProcess((HMODULE)g_hinstDLL,dwProcessId,&OBJCfg,"HookPort_Start"); + //if( iInjection == 1 ) + //{ + // nRet = STATUS_SUCCESS; + // return nRet; + //} + + // + //Patch IAT + // + LogProcessInfoToRegistrySYNC(g_szSandBoxName,dwProcessId); + + char strDllPath[MAX_PATH] = {0}; + GetModuleFileNameA((HMODULE)g_hinstDLL, strDllPath, MAX_PATH); + + Process process(dwProcessId); + IATModifier iatModifier(process); + // retrieve image base address so IATModifier is able to find the import directory + iatModifier.setImageBase(process.getImageBase(ThreadHandle)); + // modify import directory so our injected dll is loaded first + iatModifier.writeIAT(strDllPath); + } + else + { +#ifdef Dbg + WCHAR szDebugString[256] = {0}; + wsprintf(szDebugString,L"Already Patched! dwProcessId=[%d]",dwProcessId); + DebugLog(DbgInfo,szDebugString); +#endif + } + }//dwCurrentProcessId != dwProcessId + }//nStatus == STATUS_SUCCESS + else + { +#ifdef Dbg + DebugLog(DbgInfo,L"NtQueryInformationThread ERROR!!!!!"); +#endif + } + + nRet = pfnNtResumeThread( + ThreadHandle, + SuspendCount + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG SuspendCount OPTIONAL ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtResumeThread addFun = (__pfnNtResumeThread)GetProcAddress(hDll,"NtResumeThread"); + if(addFun) + { + ret = addFun(ThreadHandle,SuspendCount); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtResumeThread.h b/HookPorts/Dispatch_NTDLL_NtResumeThread.h new file mode 100644 index 0000000..0f44e7e --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtResumeThread.h @@ -0,0 +1,57 @@ +#pragma once + +#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) +#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) +#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) +#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) +#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L) +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) +#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L) +#define STATUS_OBJECT_PATH_NOT_FOUND ((NTSTATUS)0xC000003AL) +#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L) +#define STATUS_PORT_DISCONNECTED ((NTSTATUS)0xC0000037L) +#define STATUS_INVALID_PORT_ATTRIBUTES ((NTSTATUS)0xC000002EL) +#define STATUS_PORT_CONNECTION_REFUSED ((NTSTATUS)0xC0000041L) +#define STATUS_INVALID_PORT_HANDLE ((NTSTATUS)0xC0000042L) +#define STATUS_PORT_ALREADY_SET ((NTSTATUS)0xC0000048L) +#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) + +typedef ULONG THREADINFOCLASS; +typedef ULONG PROCESSINFOCLASS; +typedef ULONG_PTR KAFFINITY; +typedef ULONG KPRIORITY; +#define MEMORY_BASIC_INFORMATION_SIZE 28 + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID; +typedef CLIENT_ID *PCLIENT_ID; + +typedef struct _THREAD_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + KAFFINITY AffinityMask; + KPRIORITY Priority; + KPRIORITY BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef NTSTATUS (NTAPI * __pfnNtResumeThread) +( + IN HANDLE ThreadHandle, + OUT PULONG SuspendCount OPTIONAL ); + +extern __pfnNtResumeThread pfnNtResumeThread; + +NTSTATUS +NTAPI +OnNtResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG SuspendCount OPTIONAL ); + +NTSTATUS +NTAPI +NtResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG SuspendCount OPTIONAL ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSaveKey.cpp b/HookPorts/Dispatch_NTDLL_NtSaveKey.cpp new file mode 100644 index 0000000..e2bc0dc --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSaveKey.cpp @@ -0,0 +1,72 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSaveKey.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtSaveKey pfnNtSaveKey = NULL; + + + +// +//Dispatch_NTDLL_NtSaveKey Functions +// +NTSTATUS +NTAPI +OnNtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSaveKey( + KeyHandle, + FileHandle + ); + + return nRet; + } + + nRet = pfnNtSaveKey( + KeyHandle, + FileHandle + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSaveKey addFun = (__pfnNtSaveKey)GetProcAddress(hDll,"NtSaveKey"); + if(addFun) + { + ret = addFun(KeyHandle,FileHandle); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSaveKey.h b/HookPorts/Dispatch_NTDLL_NtSaveKey.h new file mode 100644 index 0000000..132f074 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSaveKey.h @@ -0,0 +1,23 @@ +#pragma once + +typedef NTSTATUS (NTAPI * __pfnNtSaveKey) +( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ); + +extern __pfnNtSaveKey pfnNtSaveKey; + +NTSTATUS +NTAPI +OnNtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ); + +NTSTATUS +NTAPI +NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.cpp b/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.cpp new file mode 100644 index 0000000..bcd8bda --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.cpp @@ -0,0 +1,100 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSecureConnectPort.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtSecureConnectPort pfnNtSecureConnectPort = NULL; + + + +// +//Dispatch_NTDLL_NtSecureConnectPort Functions +// +NTSTATUS +NTAPI +OnNtSecureConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PLPC_SECTION_WRITE WriteSection, + PSID pSid, + PLPC_SECTION_READ ReadSection, + PULONG MaximumMessageLength, + PVOID ConnectInfo, + PULONG pConnectInfoLength + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSecureConnectPort( + PortHandle, + PortName, + SecurityQos, + WriteSection, + pSid, + ReadSection, + MaximumMessageLength, + ConnectInfo, + pConnectInfoLength + ); + + return nRet; + } + + nRet = pfnNtSecureConnectPort( + PortHandle, + PortName, + SecurityQos, + WriteSection, + pSid, + ReadSection, + MaximumMessageLength, + ConnectInfo, + pConnectInfoLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSecureConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PLPC_SECTION_WRITE WriteSection, + PSID pSid, + PLPC_SECTION_READ ReadSection, + PULONG MaximumMessageLength, + PVOID ConnectInfo, + PULONG pConnectInfoLength + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSecureConnectPort addFun = (__pfnNtSecureConnectPort)GetProcAddress(hDll,"NtSecureConnectPort"); + if(addFun) + { + ret = addFun(PortHandle,PortName,SecurityQos,WriteSection,pSid,ReadSection,MaximumMessageLength,ConnectInfo,pConnectInfoLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.h b/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.h new file mode 100644 index 0000000..39bc028 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSecureConnectPort.h @@ -0,0 +1,74 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" + +typedef struct _LPC_SECTION_WRITE +{ + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID TargetViewBase; +} LPC_SECTION_WRITE, *PLPC_SECTION_WRITE; + +typedef struct _LPC_SECTION_READ +{ + ULONG Length; + ULONG ViewSize; + PVOID ViewBase; +} LPC_SECTION_READ, *PLPC_SECTION_READ; + +typedef struct _LPC_MESSAGE +{ + USHORT DataSize; + USHORT MessageSize; + USHORT MessageType; + USHORT VirtualRangesOffset; + CLIENT_ID ClientId; + ULONG_PTR MessageId; + ULONG_PTR SectionSize; + UCHAR Data[ANYSIZE_ARRAY]; +} LPC_MESSAGE, *PLPC_MESSAGE; + +typedef NTSTATUS (NTAPI * __pfnNtSecureConnectPort) +( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PLPC_SECTION_WRITE WriteSection, + PSID pSid, + PLPC_SECTION_READ ReadSection, + PULONG MaximumMessageLength, + PVOID ConnectInfo, + PULONG pConnectInfoLength + ); + +extern __pfnNtSecureConnectPort pfnNtSecureConnectPort; + +NTSTATUS +NTAPI +OnNtSecureConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PLPC_SECTION_WRITE WriteSection, + PSID pSid, + PLPC_SECTION_READ ReadSection, + PULONG MaximumMessageLength, + PVOID ConnectInfo, + PULONG pConnectInfoLength + ); +NTSTATUS +NTAPI +NtSecureConnectPort( + PHANDLE PortHandle, + PUNICODE_STRING PortName, + PSECURITY_QUALITY_OF_SERVICE SecurityQos, + PLPC_SECTION_WRITE WriteSection, + PSID pSid, + PLPC_SECTION_READ ReadSection, + PULONG MaximumMessageLength, + PVOID ConnectInfo, + PULONG pConnectInfoLength + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetInformationFile.cpp b/HookPorts/Dispatch_NTDLL_NtSetInformationFile.cpp new file mode 100644 index 0000000..f8c9dfb --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetInformationFile.cpp @@ -0,0 +1,400 @@ +#include +#include +#include +#include + +#include "./Dispatch_NTDLL_NtSetInformationFile.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./HookHelp_File.h" +#include "./GetProcAddressEx.h" +#include "../Config/Config.h" +#include "./Main.h" +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtCreateThread.h" +#include "./Dispatch_NTDLL_NtQueryInformationFile.h" +#include "./Dispatch_NTDLL_NtQueryObject.h" +#include "./Dispatch_NTDLL_NtCreateFile.h" +#include "./Dispatch_NTDLL_NtClose.h" +#include "./NativeAPI_NTDLL.h" + + + +// +//Global +// +__pfnNtSetInformationFile pfnNtSetInformationFile = NULL; + + + +// +//Dispatch_NTDLL_NtSetInformationFile Functions +// +NTSTATUS +NTAPI +OnNtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSetInformationFile( + FileHandle, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + + return nRet; + } + + //(\\??\\C:\\WINDOWS\\XXX) + WCHAR szLongNtPath[MAX_NAME] = {NULL}; + //(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX) + WCHAR szDispatchNtPath[MAX_NAME] = {NULL}; + + if( GetLongNtPathName(FileHandle,NULL,NULL,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 ) + { + nRet = pfnNtSetInformationFile( + FileHandle, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + + return nRet; + } + + // + //Check if request in SandBox + // + if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 ) + { + nRet = pfnNtSetInformationFile( + FileHandle, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + + return nRet; + } + + // + //Set right access for FileAttributes + // + ULONG uFileAttributes = FILE_ALL_ACCESS; + if( FileInformationClass == FileAllocationInformation || + FileInformationClass == FileEndOfFileInformation + ) + { + uFileAttributes = FILE_ALL_ACCESS; + } + else + { + uFileAttributes = FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES; + } + +//#ifdef Dbg +// WCHAR szDebugString[512] = {0}; +// wsprintf( +// szDebugString, +// L"szLongNtPath = [%s]\r\ndwFileAttributes = [%d] FileInformationClass = [%d]", +// szLongNtPath, +// uFileAttributes, +// FileInformationClass +// ); +// DebugLog(DbgInfo,szDebugString); +//#endif + + // + //Check if file dispatched + // + int iFileDispatch = -1; + iFileDispatch = QueryDispatchedFile(szDispatchNtPath); + if( iFileDispatch == -1 ) + { + nRet = STATUS_UNSUCCESSFUL; + return nRet; + } + else + if( iFileDispatch == 1 && + FileInformationClass != FileDispositionInformation + ) + { + // + //Dispatch + // + // + //Init UNICODE_STRING + // + UNICODE_STRING usNtFileName; + RtlInitUnicodeString(&usNtFileName,szDispatchNtPath); + + NTSTATUS nStatus; + HANDLE hFile = NULL; + IO_STATUS_BLOCK IoSB; + FILE_BASIC_INFORMATION stFileBasicInfo = {NULL}; + OBJECT_ATTRIBUTES oaObjAttrib; + + InitializeObjectAttributes( + &oaObjAttrib, + &usNtFileName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + + nStatus = NtCreateFile( + &hFile, + FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, + &oaObjAttrib, + &IoSB, + NULL, + uFileAttributes, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + if( nStatus == STATUS_SUCCESS ) + { + nRet = pfnNtSetInformationFile( + hFile, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + } + else + { + nRet = STATUS_UNSUCCESSFUL; + } + + NtClose(hFile); + + return nRet; + } + + // + //Check if is a [FileDispositionInformation] request + // + if( FileInformationClass == FileDispositionInformation ) + { + ULONG uFileAttributes = QueryFileAttributes(szLongNtPath); + +//#ifdef Dbg +// WCHAR szDebugString[512] = {0}; +// wsprintf( +// szDebugString, +// L"szLongNtPath = [%s]\r\ndwFileAttributes = [%d] FileInformationClass = [%d]", +// szLongNtPath, +// uFileAttributes, +// FileInformationClass +// ); +// DebugLog(DbgInfo,szDebugString); +//#endif + + if( SetFileDeletedMark(szLongNtPath,szDispatchNtPath,uFileAttributes) == 0 ) + { + nRet = STATUS_SUCCESS; + } + else + { + nRet = STATUS_ACCESS_DENIED; + } + + return nRet; + } + + // + //Check if is a [FileRenameInformation] request + // + if( FileInformationClass == FileRenameInformation ) + { + PFILE_RENAME_INFORMATION lpFileRenameInfo = NULL; + lpFileRenameInfo = (PFILE_RENAME_INFORMATION)FileInformation; + + if( lpFileRenameInfo->RootDirectory != NULL ) + { +#ifdef Dbg + DebugLog(DbgInfo,L"lpFileRenameInfo->RootDirectory != NULL!!! ERROR!"); +#endif + + nRet = STATUS_ACCESS_DENIED; + return nRet; + } + + WCHAR szNewNtFileName[MAX_NAME] = {NULL}; + lstrcpynW(szNewNtFileName,lpFileRenameInfo->FileName,(lpFileRenameInfo->FileNameLength/2)+1); + + WCHAR szNewLongNtFileName[MAX_NAME] = {NULL}; + WCHAR szNewDispatchNtFileName[MAX_NAME] = {NULL}; + + GetLongNtPathName(NULL,NULL,szNewNtFileName,g_szRestoreNtPath,szNewLongNtFileName,szNewDispatchNtFileName); + + ULONG uFileAttributes = QueryFileAttributes(szLongNtPath); + + // + //Init Directory + // + InitDirectoryForFileDispatch(szDispatchNtPath); + + // + //Close handle + // + NtClose(FileHandle); + + // + //Copy file + // + CloneFileToDispatchPath(szLongNtPath,szNewDispatchNtFileName,uFileAttributes); + + SetFileDeletedMark(szLongNtPath,szDispatchNtPath,uFileAttributes); + + nRet = STATUS_SUCCESS; + return nRet; + } + + // + //Check if is a [FileBasicInformation] request + // + if( FileInformationClass == FileBasicInformation ) + { + nRet = STATUS_SUCCESS; + + return nRet; + } + + // + //Dispatch list + // + //FileDispositionInformation + //FileBasicInformation + //FileLinkInformation + //FileStreamInformation + //FileReparsePointInformation + //FileAccessInformation + //FileRenameInformation + //FileAllocationInformation + //FileEndOfFileInformation + + if( FileInformationClass == FileLinkInformation || + FileInformationClass == FileStreamInformation || + FileInformationClass == FileReparsePointInformation || + FileInformationClass == FileAccessInformation || + FileInformationClass == FileAllocationInformation || + FileInformationClass == FileEndOfFileInformation + ) + { + ULONG uFileAttributes = QueryFileAttributes(szLongNtPath); + + // + //Init Directory + // + InitDirectoryForFileDispatch(szDispatchNtPath); + + // + //Copy file + // + CloneFileToDispatchPath(szLongNtPath,szDispatchNtPath,uFileAttributes); + + // + //Init UNICODE_STRING + // + UNICODE_STRING usNtFileName; + RtlInitUnicodeString(&usNtFileName,szDispatchNtPath); + + NTSTATUS nStatus; + HANDLE hFile = NULL; + IO_STATUS_BLOCK IoSB; + FILE_BASIC_INFORMATION stFileBasicInfo = {NULL}; + OBJECT_ATTRIBUTES oaObjAttrib; + + InitializeObjectAttributes( + &oaObjAttrib, + &usNtFileName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + + nStatus = NtCreateFile( + &hFile, + FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, + &oaObjAttrib, + &IoSB, + NULL, + uFileAttributes, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + if( nStatus == STATUS_SUCCESS ) + { + nRet = pfnNtSetInformationFile( + hFile, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + } + else + { + nRet = STATUS_UNSUCCESSFUL; + } + + NtClose(hFile); + + return nRet; + } + + nRet = pfnNtSetInformationFile( + FileHandle, + IoStatusBlock, + FileInformation, + Length, + FileInformationClass + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSetInformationFile addFun = (__pfnNtSetInformationFile)GetProcAddress(hDll,"NtSetInformationFile"); + if(addFun) + { + ret = addFun(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetInformationFile.h b/HookPorts/Dispatch_NTDLL_NtSetInformationFile.h new file mode 100644 index 0000000..5dcdf04 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetInformationFile.h @@ -0,0 +1,32 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtQueryInformationFile.h" + +typedef NTSTATUS (NTAPI * __pfnNtSetInformationFile) +( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +extern __pfnNtSetInformationFile pfnNtSetInformationFile; + +NTSTATUS +NTAPI +OnNtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +NTSTATUS +NTAPI +NtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetInformationToken.cpp b/HookPorts/Dispatch_NTDLL_NtSetInformationToken.cpp new file mode 100644 index 0000000..8edf465 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetInformationToken.cpp @@ -0,0 +1,80 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSetInformationToken.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtSetInformationToken pfnNtSetInformationToken = NULL; + + + +// +//Dispatch_NTDLL_NtSetInformationToken Functions +// +NTSTATUS +NTAPI +OnNtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSetInformationToken( + TokenHandle, + TokenInformationClass, + TokenInformation, + TokenInformationLength + ); + + return nRet; + } + + nRet = pfnNtSetInformationToken( + TokenHandle, + TokenInformationClass, + TokenInformation, + TokenInformationLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSetInformationToken addFun = (__pfnNtSetInformationToken)GetProcAddress(hDll,"NtSetInformationToken"); + if(addFun) + { + ret = addFun(TokenHandle,TokenInformationClass,TokenInformation,TokenInformationLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetInformationToken.h b/HookPorts/Dispatch_NTDLL_NtSetInformationToken.h new file mode 100644 index 0000000..5fab8ea --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetInformationToken.h @@ -0,0 +1,29 @@ +#pragma once + +typedef NTSTATUS (NTAPI * __pfnNtSetInformationToken) +( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength + ); + +extern __pfnNtSetInformationToken pfnNtSetInformationToken; + +NTSTATUS +NTAPI +OnNtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength + ); + +NTSTATUS +NTAPI +NtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.cpp b/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.cpp new file mode 100644 index 0000000..3f048f2 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.cpp @@ -0,0 +1,76 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSetSecurityObject.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtSetSecurityObject pfnNtSetSecurityObject = NULL; + + + +// +//Dispatch_NTDLL_NtSetSecurityObject Functions +// +NTSTATUS +NTAPI +OnNtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSetSecurityObject( + ObjectHandle, + SecurityInformationClass, + DescriptorBuffer + ); + + return nRet; + } + + nRet = pfnNtSetSecurityObject( + ObjectHandle, + SecurityInformationClass, + DescriptorBuffer + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSetSecurityObject addFun = (__pfnNtSetSecurityObject)GetProcAddress(hDll,"NtSetSecurityObject"); + if(addFun) + { + ret = addFun(ObjectHandle,SecurityInformationClass,DescriptorBuffer); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.h b/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.h new file mode 100644 index 0000000..8eadb1a --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetSecurityObject.h @@ -0,0 +1,29 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtEnumerateKey.h" +#include "./Dispatch_NTDLL_NtCreateThread.h" + +typedef NTSTATUS (NTAPI * __pfnNtSetSecurityObject) +( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer + ); + +extern __pfnNtSetSecurityObject pfnNtSetSecurityObject; + +NTSTATUS +NTAPI +OnNtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer + ); + +NTSTATUS +NTAPI +NtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.cpp b/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.cpp new file mode 100644 index 0000000..ad6d629 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.cpp @@ -0,0 +1,82 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSetSystemInformation.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtSetSystemInformation pfnNtSetSystemInformation = NULL; + + + +// +//Dispatch_NTDLL_NtCreateThread Functions +// +NTSTATUS +NTAPI +OnNtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSetSystemInformation( + SystemInformationClass, + SystemInformation, + SystemInformationLength + ); + + return nRet; + } + + if( SystemInformation == NULL ) + { + return STATUS_INVALID_INFO_CLASS; + } + + if( SystemInformationClass == SystemLoadAndCallImage ) + { + return STATUS_INVALID_INFO_CLASS; + } + + nRet = pfnNtSetSystemInformation( + SystemInformationClass, + SystemInformation, + SystemInformationLength + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSetSystemInformation addFun = (__pfnNtSetSystemInformation)GetProcAddress(hDll,"NtSetSystemInformation"); + if(addFun) + { + ret = addFun(SystemInformationClass,SystemInformation,SystemInformationLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.h b/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.h new file mode 100644 index 0000000..45d7b54 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetSystemInformation.h @@ -0,0 +1,26 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtSetSystemInformation.h" +#include "./Dispatch_NTDLL_NtQuerySystemInformation.h" + +typedef NTSTATUS (NTAPI * __pfnNtSetSystemInformation) +( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength ); + +extern __pfnNtSetSystemInformation pfnNtSetSystemInformation; + +NTSTATUS +NTAPI +OnNtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength ); + +NTSTATUS +NTAPI +NtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetValueKey.cpp b/HookPorts/Dispatch_NTDLL_NtSetValueKey.cpp new file mode 100644 index 0000000..402dcd6 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetValueKey.cpp @@ -0,0 +1,165 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSetValueKey.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./HookHelp_Reg.h" +#include "./Main.h" +#include "./Initalization.h" +#include "./GetProcAddressEx.h" +#include "./Dispatch_NTDLL_NtQueryObject.h" + +#include "./CloneAPI_ADVAPI32.h" + + + +// +//Global +// +__pfnNtSetValueKey pfnNtSetValueKey = NULL; + + + +// +//Dispatch_NTDLL_NtSetValueKey Functions +// +NTSTATUS +NTAPI +OnNtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize + ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSetValueKey( + KeyHandle, + ValueName, + TitleIndex, + Type, + Data, + DataSize + ); + + return nRet; + } + + WCHAR szRegKrnlPath[MAX_NAME] = {NULL}; + WCHAR szDispatchRegKrnlPath[MAX_NAME] = {NULL}; + WCHAR szDispatchRegUserPath[MAX_NAME] = {NULL}; + + if( GetRegistryPathName(KeyHandle,NULL,NULL,g_szRestoreRegPath,szRegKrnlPath,szDispatchRegKrnlPath,szDispatchRegUserPath) != 0 ) + { + nRet = pfnNtSetValueKey( + KeyHandle, + ValueName, + TitleIndex, + Type, + Data, + DataSize + ); + + return nRet; + } + +//#ifdef Dbg +// WCHAR szDebugString[2048] = {0}; +// wsprintf( +// szDebugString, +// L"szRegKrnlPath = [%s]\r\nszDispatchRegKrnlPath = [%s]\r\nszDispatchRegUserPath = [%s]", +// szRegKrnlPath, +// szDispatchRegKrnlPath, +// szDispatchRegUserPath +// ); +// DebugLog(DbgInfo,szDebugString); +//#endif + + // + //Check if request in SandBox + // + if( wcsnicmp(szRegKrnlPath,g_szRestoreFullRegKrnlPath,lstrlenW(g_szRestoreFullRegKrnlPath)) == 0 ) + { + nRet = pfnNtSetValueKey( + KeyHandle, + ValueName, + TitleIndex, + Type, + Data, + DataSize + ); + + return nRet; + } + + // + //Init Subkey + // + InitSubkeyForRegDispatch(szDispatchRegUserPath); + + // + //Dispatch + // + HKEY hkKey; + if( CAPI_RegOpenKeyExW(HKEY_USERS,szDispatchRegUserPath,NULL,KEY_WRITE,&hkKey) == ERROR_SUCCESS ) + { + nRet = pfnNtSetValueKey( + hkKey, + ValueName, + TitleIndex, + Type, + Data, + DataSize + ); + + RegCloseKey(hkKey); + + return nRet; + } + CAPI_RegCloseKey(hkKey); + + nRet = pfnNtSetValueKey( + KeyHandle, + ValueName, + TitleIndex, + Type, + Data, + DataSize + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize + ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSetValueKey addFun = (__pfnNtSetValueKey)GetProcAddress(hDll,"NtSetValueKey"); + if(addFun) + { + ret = addFun(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSetValueKey.h b/HookPorts/Dispatch_NTDLL_NtSetValueKey.h new file mode 100644 index 0000000..c100d16 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSetValueKey.h @@ -0,0 +1,35 @@ +#pragma once + +typedef NTSTATUS (NTAPI * __pfnNtSetValueKey) +( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize + ); + +extern __pfnNtSetValueKey pfnNtSetValueKey; + +NTSTATUS +NTAPI +OnNtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize + ); + +NTSTATUS +NTAPI +NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID Data, + IN ULONG DataSize + ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.cpp b/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.cpp new file mode 100644 index 0000000..8dcbafa --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.cpp @@ -0,0 +1,285 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtSystemDebugControl.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./GetProcAddressEx.h" +#include "./Dispatch_NTDLL_NtResumeThread.h" + + + +// +//Global +// +__pfnNtSystemDebugControl pfnNtSystemDebugControl = NULL; + + + +// +//Dispatch_NTDLL_NtSystemDebugControl Functions +// +NTSTATUS +NTAPI +OnNtSystemDebugControl( + IN SYSDBG_COMMAND Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtSystemDebugControl( + Command, + InputBuffer, + InputBufferLength, + OutputBuffer, + OutputBufferLength, + ReturnLength + ); + + return nRet; + } + +// // +// //Check Command +// // +// BOOL bBypass = FALSE; +// WCHAR szControlCodeInfo[128] = {0}; +// switch( Command ) +// { +// case SysDbgQueryModuleInformation: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgQueryModuleInformation"); +// }break; +// case SysDbgQueryTraceInformation: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgQueryTraceInformation"); +// }break; +// case SysDbgSetTracepoint: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetTracepoint"); +// }break; +// case SysDbgSetSpecialCall: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetSpecialCall"); +// }break; +// case SysDbgClearSpecialCalls: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgClearSpecialCalls"); +// }break; +// case SysDbgQuerySpecialCalls: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgQuerySpecialCalls"); +// }break; +// case SysDbgBreakPoint: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgBreakPoint"); +// }break; +// case SysDbgQueryVersion: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgQueryVersion"); +// }break; +// case SysDbgReadVirtual: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadVirtual"); +// }break; +// case SysDbgWriteVirtual: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWriteVirtual"); +// }break; +// case SysDbgReadPhysical: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadPhysical"); +// }break; +// case SysDbgWritePhysical: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWritePhysical"); +// }break; +// case SysDbgReadControlSpace: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadControlSpace"); +// }break; +// case SysDbgWriteControlSpace: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWriteControlSpace"); +// }break; +// case SysDbgReadIoSpace: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadIoSpace"); +// }break; +// case SysDbgWriteIoSpace: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWriteIoSpace"); +// }break; +// case SysDbgReadMsr: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadMsr"); +// }break; +// case SysDbgWriteMsr: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWriteMsr"); +// }break; +// case SysDbgReadBusData: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgReadBusData"); +// }break; +// case SysDbgWriteBusData: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgWriteBusData"); +// }break; +// case SysDbgCheckLowMemory: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgCheckLowMemory"); +// }break; +// case SysDbgEnableKernelDebugger: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgEnableKernelDebugger"); +// }break; +// case SysDbgDisableKernelDebugger: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgDisableKernelDebugger"); +// }break; +// case SysDbgGetAutoKdEnable: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgGetAutoKdEnable"); +// }break; +// case SysDbgSetAutoKdEnable: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetAutoKdEnable"); +// }break; +// case SysDbgGetPrintBufferSize: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgGetPrintBufferSize"); +// }break; +// case SysDbgSetPrintBufferSize: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetPrintBufferSize"); +// }break; +// case SysDbgGetKdUmExceptionEnable: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgGetKdUmExceptionEnable"); +// }break; +// case SysDbgSetKdUmExceptionEnable: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetKdUmExceptionEnable"); +// }break; +// case SysDbgGetTriageDump: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgGetTriageDump"); +// }break; +// case SysDbgGetKdBlockEnable: +// { +// bBypass = TRUE; +// lstrcpy(szControlCodeInfo,L"SysDbgGetKdBlockEnable"); +// }break; +// case SysDbgSetKdBlockEnable: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"SysDbgSetKdBlockEnable"); +// } +// break; +// default: +// { +// bBypass = FALSE; +// lstrcpy(szControlCodeInfo,L"UNKNOWN SysDbgCommand"); +// }break; +// } +// +//#ifdef Dbg +// WCHAR szDebugString[256] = {0}; +// wsprintf( +// szDebugString, +// L"OnNtSystemDebugControl ControlCode=[%s]", +// szControlCodeInfo +// ); +// DebugLog(DbgInfo,szDebugString); +//#endif +// +// if( bBypass == TRUE ) +// { +// nRet = pfnNtSystemDebugControl( +// Command, +// InputBuffer, +// InputBufferLength, +// OutputBuffer, +// OutputBufferLength, +// ReturnLength +// ); +// } +// else +// { +//#ifdef Dbg +// DebugLog(DbgInfo,L"STATUS_ACCESS_DENIED"); +//#endif +// nRet = STATUS_ACCESS_DENIED; +// } +// +// return nRet; + + // + //Refuse directly + // + return STATUS_ACCESS_DENIED; +} + +NTSTATUS +NTAPI +NtSystemDebugControl( + IN SYSDBG_COMMAND Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtSystemDebugControl addFun = (__pfnNtSystemDebugControl)GetProcAddress(hDll,"NtSystemDebugControl"); + if(addFun) + { + ret = addFun(Command,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,ReturnLength); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.h b/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.h new file mode 100644 index 0000000..1d3782a --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtSystemDebugControl.h @@ -0,0 +1,75 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" + +// +//Reverse engineering of enum made by tombkeeper(于旸) +// +typedef enum _SYSDBG_COMMAND { + //以下是NT各个版本上都有 + SysDbgQueryModuleInformation, + SysDbgQueryTraceInformation, + SysDbgSetTracepoint, + SysDbgSetSpecialCall, + SysDbgClearSpecialCalls, + SysDbgQuerySpecialCalls, + //以下是NT 5.1新增的 + SysDbgBreakPoint, + SysDbgQueryVersion,//获取KdVersionBlock + SysDbgReadVirtual,//从内核空间拷贝到用户空间 + SysDbgWriteVirtual,//从用户空间拷贝到内核空间 + SysDbgReadPhysical,//从物理地址拷贝到用户空间,不能写到内核空间 + SysDbgWritePhysical,//从用户空间拷贝到物理地址,不能读取内核空间 + SysDbgReadControlSpace,//读写处理器相关控制块 + SysDbgWriteControlSpace,//读写处理器相关控制块 + SysDbgReadIoSpace,//读写端口 + SysDbgWriteIoSpace,//读写端口 + SysDbgReadMsr,//分别调用RDMSR@4和_WRMSR@12 + SysDbgWriteMsr,//分别调用RDMSR@4和_WRMSR@12 + SysDbgReadBusData,//读写总线数据 + SysDbgWriteBusData,//读写总线数据 + SysDbgCheckLowMemory, + //以下是NT 5.2 新增的 + SysDbgEnableKernelDebugger,//分别调用_KdEnableDebugger@0和_KdDisableDebugger@0 + SysDbgDisableKernelDebugger,//分别调用_KdEnableDebugger@0和_KdDisableDebugger@0 + SysDbgGetAutoKdEnable,//获取和设置一些调试相关的变量 + SysDbgSetAutoKdEnable,//获取和设置一些调试相关的变量 + SysDbgGetPrintBufferSize,//获取和设置一些调试相关的变量 + SysDbgSetPrintBufferSize,//获取和设置一些调试相关的变量 + SysDbgGetKdUmExceptionEnable,//获取和设置一些调试相关的变量 + SysDbgSetKdUmExceptionEnable,//获取和设置一些调试相关的变量 + SysDbgGetTriageDump,//获取和设置一些调试相关的变量 + SysDbgGetKdBlockEnable,//获取和设置一些调试相关的变量 + SysDbgSetKdBlockEnable,//获取和设置一些调试相关的变量 +} SYSDBG_COMMAND, *PSYSDBG_COMMAND; + +typedef NTSTATUS (NTAPI * __pfnNtSystemDebugControl) +( + IN SYSDBG_COMMAND Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL ); + +extern __pfnNtSystemDebugControl pfnNtSystemDebugControl; + +NTSTATUS +NTAPI +OnNtSystemDebugControl( + IN SYSDBG_COMMAND Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL ); + +NTSTATUS +NTAPI +NtSystemDebugControl( + IN SYSDBG_COMMAND Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL ); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtWriteFile.cpp b/HookPorts/Dispatch_NTDLL_NtWriteFile.cpp new file mode 100644 index 0000000..e13f309 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtWriteFile.cpp @@ -0,0 +1,267 @@ +#include +#include +#include + +#include "./Dispatch_NTDLL_NtWriteFile.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./HookHelp_File.h" +#include "./GetProcAddressEx.h" +#include "../Config/Config.h" +#include "./Main.h" +#include "./NativeAPI_NTDLL.h" +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtCreateFile.h" +#include "./Dispatch_NTDLL_NtClose.h" + + + +// +//Global +// +__pfnNtWriteFile pfnNtWriteFile = NULL; + + + +// +//Dispatch_NTDLL_NtWriteFile Functions +// +NTSTATUS +NTAPI +OnNtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtWriteFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; + } + + //(\\??\\C:\\WINDOWS\\XXX) + WCHAR szLongNtPath[MAX_NAME] = {NULL}; + //(\\??\\C:\\SandBox\\DefaultBox\\Drive\\C\\WINDOWS\\XXX) + WCHAR szDispatchNtPath[MAX_NAME] = {NULL}; + + if( GetLongNtPathName(FileHandle,NULL,NULL,g_szRestoreNtPath,szLongNtPath,szDispatchNtPath) != 0 ) + { + nRet = pfnNtWriteFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; + } + + //OutputDebugString(L"\r\nNtWriteFile szLongNtPath="); + //OutputDebugString(szLongNtPath); + + // + //Check if request in SandBox + // + if( wcsnicmp(szLongNtPath,g_szRestoreNtPath,lstrlenW(g_szRestoreNtPath)) == 0 ) + { + nRet = pfnNtWriteFile( + FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + + return nRet; + } + + // + //Check if file dispatched + // + int iFileDispatch = -1; + iFileDispatch = QueryDispatchedFile(szDispatchNtPath); + if( iFileDispatch == -1 ) + { + nRet = STATUS_UNSUCCESSFUL; + return nRet; + } + else + if( iFileDispatch == 1 ) + { + // + //Dispatch + // + + // + //Init UNICODE_STRING + // + UNICODE_STRING usNtFileName; + RtlInitUnicodeString(&usNtFileName,szDispatchNtPath); + + NTSTATUS nStatus; + HANDLE hFile = NULL; + IO_STATUS_BLOCK IoSB; + FILE_BASIC_INFORMATION stFileBasicInfo = {NULL}; + OBJECT_ATTRIBUTES oaObjAttrib; + + InitializeObjectAttributes( + &oaObjAttrib, + &usNtFileName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + + nStatus = NtCreateFile( + &hFile, + FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, + &oaObjAttrib, + &IoSB, + NULL, + FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + if( nStatus == STATUS_SUCCESS ) + { + nRet = pfnNtWriteFile( + hFile, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + } + + NtClose(hFile); + + return nRet; + } + + // + //Init Directory + // + InitDirectoryForFileDispatch(szDispatchNtPath); + + // + //Copy file + // + CloneFileToDispatchPath(szLongNtPath,szDispatchNtPath,FILE_ATTRIBUTE_ARCHIVE); + + // + //Init UNICODE_STRING + // + UNICODE_STRING usNtFileName; + RtlInitUnicodeString(&usNtFileName,szDispatchNtPath); + + NTSTATUS nStatus; + HANDLE hFile = NULL; + IO_STATUS_BLOCK IoSB; + FILE_BASIC_INFORMATION stFileBasicInfo = {NULL}; + OBJECT_ATTRIBUTES oaObjAttrib; + + InitializeObjectAttributes( + &oaObjAttrib, + &usNtFileName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + + nStatus = NtCreateFile( + &hFile, + FILE_GENERIC_READ | FILE_GENERIC_WRITE | SYNCHRONIZE, + &oaObjAttrib, + &IoSB, + NULL, + FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, + FILE_OPEN, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + if( nStatus == STATUS_SUCCESS ) + { + nRet = pfnNtWriteFile( + hFile, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + Buffer, + Length, + ByteOffset, + Key + ); + } + + NtClose(hFile); + + return nRet; +} + +NTSTATUS +NTAPI +NtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtWriteFile addFun = (__pfnNtWriteFile)GetProcAddress(hDll,"NtWriteFile"); + if(addFun) + { + ret = addFun(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtWriteFile.h b/HookPorts/Dispatch_NTDLL_NtWriteFile.h new file mode 100644 index 0000000..4fb692c --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtWriteFile.h @@ -0,0 +1,44 @@ +#pragma once + +#include "./Dispatch_NTDLL_NtResumeThread.h" +#include "./Dispatch_NTDLL_NtReadFile.h" + +typedef NTSTATUS (NTAPI * __pfnNtWriteFile) +( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +extern __pfnNtWriteFile pfnNtWriteFile; + +NTSTATUS +NTAPI +OnNtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +NTSTATUS +NTAPI +NtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.cpp b/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.cpp new file mode 100644 index 0000000..0b621c0 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.cpp @@ -0,0 +1,80 @@ +#include +#include + +#include "./Dispatch_NTDLL_NtWriteVirtualMemory.h" +#include "../Common/DebugLog.h" +#include "./HookHelp.h" +#include "./GetProcAddressEx.h" + + + +// +//Global +// +__pfnNtWriteVirtualMemory pfnNtWriteVirtualMemory = NULL; + + + +// +//Dispatch_NTDLL_NtWriteVirtualMemory Functions +// +NTSTATUS +NTAPI +OnNtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL ) +{ + NTSTATUS nRet; + + DWORD dwRetAddr = 0; + __asm + { + mov eax, [ebp+4]; + sub eax, 5; + mov dwRetAddr, eax; + } + if( IsBypassCaller(dwRetAddr) ) + { + nRet = pfnNtWriteVirtualMemory( + ProcessHandle, + BaseAddress, + Buffer, + NumberOfBytesToWrite, + NumberOfBytesWritten + ); + + return nRet; + } + + nRet = pfnNtWriteVirtualMemory( + ProcessHandle, + BaseAddress, + Buffer, + NumberOfBytesToWrite, + NumberOfBytesWritten + ); + + return nRet; +} + +NTSTATUS +NTAPI +NtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL ) +{ + NTSTATUS ret; + HINSTANCE hDll = GetModuleHandleW(L"ntdll.dll"); + __pfnNtWriteVirtualMemory addFun = (__pfnNtWriteVirtualMemory)GetProcAddress(hDll,"NtWriteVirtualMemory"); + if(addFun) + { + ret = addFun(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToWrite,NumberOfBytesWritten); + } + return ret; +} \ No newline at end of file diff --git a/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.h b/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.h new file mode 100644 index 0000000..5b76685 --- /dev/null +++ b/HookPorts/Dispatch_NTDLL_NtWriteVirtualMemory.h @@ -0,0 +1,29 @@ +#pragma once + +typedef NTSTATUS (NTAPI * __pfnNtWriteVirtualMemory) +( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL ); + +extern __pfnNtWriteVirtualMemory pfnNtWriteVirtualMemory; + +NTSTATUS +NTAPI +OnNtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL ); + +NTSTATUS +NTAPI +NtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN ULONG NumberOfBytesToWrite, + OUT PULONG NumberOfBytesWritten OPTIONAL ); \ No newline at end of file