├── Vulnerable Driver ├── Vulnerable Driver.h ├── Vulnerable Driver.vcxproj.filters ├── VulnerableDriver.inf ├── Vulnerable Driver.c ├── Vulnerable Driver.vcxproj └── Vulnerable Driver.vcxproj.BCK2 ├── Vulnerable Driver.sln ├── .gitattributes └── .gitignore /Vulnerable Driver/Vulnerable Driver.h: -------------------------------------------------------------------------------- 1 | 2 | // 3 | // Device type -- in the "User Defined" range." 4 | // 5 | #define SIOCTL_TYPE 40000 6 | // 7 | // The IOCTL function codes from 0x800 to 0xFFF are for customer use. 8 | // 9 | #define IOCTL_SIOCTL_METHOD_IN_DIRECT \ 10 | CTL_CODE( SIOCTL_TYPE, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS ) 11 | 12 | #define IOCTL_SIOCTL_METHOD_OUT_DIRECT \ 13 | CTL_CODE( SIOCTL_TYPE, 0x901, METHOD_OUT_DIRECT , FILE_ANY_ACCESS ) 14 | 15 | #define IOCTL_SIOCTL_METHOD_BUFFERED \ 16 | CTL_CODE( SIOCTL_TYPE, 0x902, METHOD_BUFFERED, FILE_ANY_ACCESS ) 17 | 18 | #define IOCTL_SIOCTL_METHOD_NEITHER \ 19 | CTL_CODE( SIOCTL_TYPE, 0x903, METHOD_NEITHER , FILE_ANY_ACCESS ) 20 | 21 | 22 | #define DRIVER_FUNC_INSTALL 0x01 23 | #define DRIVER_FUNC_REMOVE 0x02 24 | 25 | #define DRIVER_NAME "Vulnerable Driver" 26 | 27 | -------------------------------------------------------------------------------- /Vulnerable Driver/Vulnerable Driver.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Driver Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /Vulnerable Driver.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.23107.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Vulnerable Driver", "Vulnerable Driver\Vulnerable Driver.vcxproj", "{6C15CA05-5B01-4E0E-8486-11C11DB8961F}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|ARM64 = Debug|ARM64 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|ARM = Release|ARM 15 | Release|ARM64 = Release|ARM64 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|ARM.ActiveCfg = Win8.1 Release|x64 21 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|ARM.Build.0 = Win8.1 Release|x64 22 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|ARM64.ActiveCfg = Win8.1 Release|x64 23 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|ARM64.Build.0 = Win8.1 Release|x64 24 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|x64.ActiveCfg = Win8.1 Debug|x64 25 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|x64.Build.0 = Win8.1 Debug|x64 26 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|x86.ActiveCfg = Win8.1 Debug|Win32 27 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Debug|x86.Build.0 = Win8.1 Debug|Win32 28 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|ARM.ActiveCfg = Win8.1 Release|x64 29 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|ARM.Build.0 = Win8.1 Release|x64 30 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|ARM64.ActiveCfg = Win8.1 Release|x64 31 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|ARM64.Build.0 = Win8.1 Release|x64 32 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|x64.ActiveCfg = Win8.1 Release|x64 33 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|x64.Build.0 = Win8.1 Release|x64 34 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|x86.ActiveCfg = Win8.1 Release|Win32 35 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F}.Release|x86.Build.0 = Win8.1 Release|Win32 36 | EndGlobalSection 37 | GlobalSection(SolutionProperties) = preSolution 38 | HideSolutionNode = FALSE 39 | EndGlobalSection 40 | EndGlobal 41 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /Vulnerable Driver/VulnerableDriver.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; VulnerableDriver.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=Sample ; TODO: edit Class 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=VulnerableDriver.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | 16 | ; ================= Class section ===================== 17 | 18 | [ClassInstall32] 19 | Addreg=SampleClassReg 20 | 21 | [SampleClassReg] 22 | HKR,,,0,%ClassName% 23 | HKR,,Icon,,-5 24 | 25 | [SourceDisksNames] 26 | 1 = %DiskName%,,,"" 27 | 28 | [SourceDisksFiles] 29 | VulnerableDriver.sys = 1,, 30 | 31 | ;***************************************** 32 | ; Install Section 33 | ;***************************************** 34 | 35 | [Manufacturer] 36 | %ManufacturerName%=Standard,NT$ARCH$ 37 | 38 | [Standard.NT$ARCH$] 39 | %VulnerableDriver.DeviceDesc%=VulnerableDriver_Device, Root\VulnerableDriver ; TODO: edit hw-id 40 | 41 | [VulnerableDriver_Device.NT] 42 | CopyFiles=Drivers_Dir 43 | 44 | [Drivers_Dir] 45 | VulnerableDriver.sys 46 | 47 | ;-------------- Service installation 48 | [VulnerableDriver_Device.NT.Services] 49 | AddService = VulnerableDriver,%SPSVCINST_ASSOCSERVICE%, VulnerableDriver_Service_Inst 50 | 51 | ; -------------- VulnerableDriver driver install sections 52 | [VulnerableDriver_Service_Inst] 53 | DisplayName = %VulnerableDriver.SVCDESC% 54 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 55 | StartType = 3 ; SERVICE_DEMAND_START 56 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 57 | ServiceBinary = %12%\VulnerableDriver.sys 58 | 59 | ; 60 | ;--- VulnerableDriver_Device Coinstaller installation ------ 61 | ; 62 | 63 | [DestinationDirs] 64 | VulnerableDriver_Device_CoInstaller_CopyFiles = 11 65 | 66 | [VulnerableDriver_Device.NT.CoInstallers] 67 | AddReg=VulnerableDriver_Device_CoInstaller_AddReg 68 | CopyFiles=VulnerableDriver_Device_CoInstaller_CopyFiles 69 | 70 | [VulnerableDriver_Device_CoInstaller_AddReg] 71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 72 | 73 | [VulnerableDriver_Device_CoInstaller_CopyFiles] 74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 75 | 76 | [SourceDisksFiles] 77 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 78 | 79 | [VulnerableDriver_Device.NT.Wdf] 80 | KmdfService = VulnerableDriver, VulnerableDriver_wdfsect 81 | [VulnerableDriver_wdfsect] 82 | KmdfLibraryVersion = $KMDFVERSION$ 83 | 84 | [Strings] 85 | SPSVCINST_ASSOCSERVICE= 0x00000002 86 | ManufacturerName="" ;TODO: Replace with your manufacturer name 87 | ClassName="Samples" ; TODO: edit ClassName 88 | DiskName = "VulnerableDriver Installation Disk" 89 | VulnerableDriver.DeviceDesc = "VulnerableDriver Device" 90 | VulnerableDriver.SVCDESC = "VulnerableDriver Service" 91 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | build/ 21 | bld/ 22 | [Bb]in/ 23 | [Oo]bj/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | 28 | # MSTest test Results 29 | [Tt]est[Rr]esult*/ 30 | [Bb]uild[Ll]og.* 31 | 32 | # NUNIT 33 | *.VisualState.xml 34 | TestResult.xml 35 | 36 | # Build Results of an ATL Project 37 | [Dd]ebugPS/ 38 | [Rr]eleasePS/ 39 | dlldata.c 40 | 41 | # DNX 42 | project.lock.json 43 | artifacts/ 44 | 45 | *_i.c 46 | *_p.c 47 | *_i.h 48 | *.ilk 49 | *.meta 50 | *.obj 51 | *.pch 52 | *.pdb 53 | *.pgc 54 | *.pgd 55 | *.rsp 56 | *.sbr 57 | *.tlb 58 | *.tli 59 | *.tlh 60 | *.tmp 61 | *.tmp_proj 62 | *.log 63 | *.vspscc 64 | *.vssscc 65 | .builds 66 | *.pidb 67 | *.svclog 68 | *.scc 69 | 70 | # Chutzpah Test files 71 | _Chutzpah* 72 | 73 | # Visual C++ cache files 74 | ipch/ 75 | *.aps 76 | *.ncb 77 | *.opensdf 78 | *.sdf 79 | *.cachefile 80 | 81 | # Visual Studio profiler 82 | *.psess 83 | *.vsp 84 | *.vspx 85 | 86 | # TFS 2012 Local Workspace 87 | $tf/ 88 | 89 | # Guidance Automation Toolkit 90 | *.gpState 91 | 92 | # ReSharper is a .NET coding add-in 93 | _ReSharper*/ 94 | *.[Rr]e[Ss]harper 95 | *.DotSettings.user 96 | 97 | # JustCode is a .NET coding add-in 98 | .JustCode 99 | 100 | # TeamCity is a build add-in 101 | _TeamCity* 102 | 103 | # DotCover is a Code Coverage Tool 104 | *.dotCover 105 | 106 | # NCrunch 107 | _NCrunch_* 108 | .*crunch*.local.xml 109 | 110 | # MightyMoose 111 | *.mm.* 112 | AutoTest.Net/ 113 | 114 | # Web workbench (sass) 115 | .sass-cache/ 116 | 117 | # Installshield output folder 118 | [Ee]xpress/ 119 | 120 | # DocProject is a documentation generator add-in 121 | DocProject/buildhelp/ 122 | DocProject/Help/*.HxT 123 | DocProject/Help/*.HxC 124 | DocProject/Help/*.hhc 125 | DocProject/Help/*.hhk 126 | DocProject/Help/*.hhp 127 | DocProject/Help/Html2 128 | DocProject/Help/html 129 | 130 | # Click-Once directory 131 | publish/ 132 | 133 | # Publish Web Output 134 | *.[Pp]ublish.xml 135 | *.azurePubxml 136 | ## TODO: Comment the next line if you want to checkin your 137 | ## web deploy settings but do note that will include unencrypted 138 | ## passwords 139 | #*.pubxml 140 | 141 | *.publishproj 142 | 143 | # NuGet Packages 144 | *.nupkg 145 | # The packages folder can be ignored because of Package Restore 146 | **/packages/* 147 | # except build/, which is used as an MSBuild target. 148 | !**/packages/build/ 149 | # Uncomment if necessary however generally it will be regenerated when needed 150 | #!**/packages/repositories.config 151 | 152 | # Windows Azure Build Output 153 | csx/ 154 | *.build.csdef 155 | 156 | # Windows Store app package directory 157 | AppPackages/ 158 | 159 | # Visual Studio cache files 160 | # files ending in .cache can be ignored 161 | *.[Cc]ache 162 | # but keep track of directories ending in .cache 163 | !*.[Cc]ache/ 164 | 165 | # Others 166 | ClientBin/ 167 | [Ss]tyle[Cc]op.* 168 | ~$* 169 | *~ 170 | *.dbmdl 171 | *.dbproj.schemaview 172 | *.pfx 173 | *.publishsettings 174 | node_modules/ 175 | orleans.codegen.cs 176 | 177 | # RIA/Silverlight projects 178 | Generated_Code/ 179 | 180 | # Backup & report files from converting an old project file 181 | # to a newer Visual Studio version. Backup files are not needed, 182 | # because we have git ;-) 183 | _UpgradeReport_Files/ 184 | Backup*/ 185 | UpgradeLog*.XML 186 | UpgradeLog*.htm 187 | 188 | # SQL Server files 189 | *.mdf 190 | *.ldf 191 | 192 | # Business Intelligence projects 193 | *.rdl.data 194 | *.bim.layout 195 | *.bim_*.settings 196 | 197 | # Microsoft Fakes 198 | FakesAssemblies/ 199 | 200 | # Node.js Tools for Visual Studio 201 | .ntvs_analysis.dat 202 | 203 | # Visual Studio 6 build log 204 | *.plg 205 | 206 | # Visual Studio 6 workspace options file 207 | *.opt 208 | 209 | # LightSwitch generated files 210 | GeneratedArtifacts/ 211 | _Pvt_Extensions/ 212 | ModelManifest.xml 213 | -------------------------------------------------------------------------------- /Vulnerable Driver/Vulnerable Driver.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define DEVICE_NAME L"\\Device\\VulnerableDevice" 4 | #define DOS_DEVICE_NAME L"\\DosDevices\\VulnerableDOSDevice" 5 | 6 | #define IOCTL_UPDATE_WHAT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) 7 | #define IOCTL_UPDATE_WHERE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) 8 | #define IOCTL_TRIGGER_WRITE_WHAT_WHERE_VULNERABILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) 9 | #define IOCTL_UPDATE_BYTE_ADDRESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS) 10 | #define IOCTL_TRIGGER_INCREMENT_ARBITRARY_BYTE_VULNERABILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) 11 | #define IOCTL_UPDATE_NEW_PROGRAM_COUTNER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) 12 | #define IOCTL_TRIGGER_CONTROL_PROGRAM_COUNTER_VULNERABILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x806, METHOD_BUFFERED, FILE_ANY_ACCESS) 13 | 14 | 15 | static PUINT64 what = NULL, where = NULL; 16 | static PUINT8 byteAddress = NULL; 17 | static void (*programCounter)() = NULL; 18 | 19 | 20 | NTSTATUS ioctlHandler( 21 | PDEVICE_OBJECT DeviceObject, 22 | PIRP Irp 23 | ) 24 | { 25 | UNREFERENCED_PARAMETER(DeviceObject); 26 | PIO_STACK_LOCATION stack; 27 | ULONG ctl, inLen; 28 | PCHAR input = Irp->AssociatedIrp.SystemBuffer; 29 | 30 | stack = IoGetCurrentIrpStackLocation(Irp); 31 | 32 | ctl = stack->Parameters.DeviceIoControl.IoControlCode; 33 | inLen = stack->Parameters.DeviceIoControl.InputBufferLength; 34 | 35 | DbgPrint("Handling IOCTL\n"); 36 | 37 | if (ctl == IOCTL_UPDATE_WHAT) 38 | { 39 | DbgPrint("Updating new value"); 40 | if (input) 41 | { 42 | DbgPrint("%16llx\n", *input); 43 | what = *(PUINT64*)input; 44 | } 45 | } 46 | else if (ctl == IOCTL_UPDATE_WHERE) 47 | { 48 | DbgPrint("Updating target address"); 49 | if (input) 50 | { 51 | DbgPrint("%16llx\n", *input); 52 | where = *(PUINT64*)input; 53 | } 54 | } 55 | else if (ctl == IOCTL_TRIGGER_WRITE_WHAT_WHERE_VULNERABILITY) 56 | { 57 | DbgPrint("Triggering Write What Where Vulnerability ... Are you sure?\n"); 58 | DbgBreakPoint(); 59 | DbgPrint("HOOLLY SHIT\n"); 60 | *where = (UINT64)what; 61 | } 62 | else if (ctl == IOCTL_UPDATE_BYTE_ADDRESS) 63 | { 64 | DbgPrint("Updating byte address"); 65 | if (input) 66 | { 67 | DbgPrint("%16llx\n", *input); 68 | byteAddress = *(PUINT8*)input; 69 | } 70 | } 71 | else if (ctl == IOCTL_TRIGGER_INCREMENT_ARBITRARY_BYTE_VULNERABILITY) 72 | { 73 | DbgPrint("Triggering Arbitrary Byte Increment Vulnerability... Are you sure?\n"); 74 | DbgBreakPoint(); 75 | DbgPrint("Ownage\n"); 76 | *byteAddress += 1; 77 | } 78 | else if (ctl == IOCTL_UPDATE_NEW_PROGRAM_COUTNER) 79 | { 80 | DbgPrint("Updating program counter to "); 81 | if (input) 82 | { 83 | DbgPrint("%16llx\n", *(PUINT64*)input); 84 | programCounter = (void(*)())(*(PUINT64*)input); 85 | } 86 | } 87 | else if (ctl == IOCTL_TRIGGER_CONTROL_PROGRAM_COUNTER_VULNERABILITY) 88 | { 89 | DbgPrint("Triggering Control PC Vulnerability... Are you sure?\n"); 90 | DbgBreakPoint(); 91 | 92 | Irp->IoStatus.Status = STATUS_SUCCESS; 93 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 94 | 95 | programCounter(); 96 | } 97 | 98 | Irp->IoStatus.Status = STATUS_SUCCESS; 99 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 100 | return 0; 101 | } 102 | 103 | NTSTATUS openCloseHandler( 104 | PDEVICE_OBJECT DeviceObject, 105 | PIRP Irp 106 | ) 107 | { 108 | UNREFERENCED_PARAMETER(DeviceObject); 109 | Irp->IoStatus.Status = STATUS_SUCCESS; 110 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 111 | return STATUS_SUCCESS; 112 | } 113 | 114 | 115 | NTSTATUS DriverEntry( 116 | IN PDRIVER_OBJECT DriverObject, 117 | IN PUNICODE_STRING RegistryPath 118 | ) 119 | { 120 | UNREFERENCED_PARAMETER(RegistryPath); 121 | NTSTATUS st; 122 | PDEVICE_OBJECT deviceObject; 123 | UNICODE_STRING deviceName, dosDeviceName; 124 | 125 | DbgPrint("Vulnerable Driver Entry Point; J.C. In!\n"); 126 | RtlInitUnicodeString(&deviceName, DEVICE_NAME); 127 | 128 | st = IoCreateDevice( 129 | DriverObject, 130 | 0, 131 | &deviceName, 132 | FILE_DEVICE_UNKNOWN, 133 | 0, 134 | FALSE, 135 | &deviceObject); 136 | 137 | if (!NT_SUCCESS(st)) 138 | { 139 | DbgPrint("IoCreateDevice failed\n"); 140 | return st; 141 | } 142 | 143 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctlHandler; 144 | DriverObject->MajorFunction[IRP_MJ_CREATE] = openCloseHandler; 145 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = openCloseHandler; 146 | 147 | RtlInitUnicodeString(&dosDeviceName, DOS_DEVICE_NAME); 148 | st = IoCreateSymbolicLink(&dosDeviceName, &deviceName); 149 | 150 | if (!NT_SUCCESS(st)) 151 | { 152 | DbgPrint("IoCreateSymbolicLink failed\n"); 153 | if (deviceObject) 154 | IoDeleteDevice(deviceObject); 155 | else 156 | DbgPrint("IoDeleteDevice failed\n"); 157 | return st; 158 | } 159 | 160 | return st; 161 | } -------------------------------------------------------------------------------- /Vulnerable Driver/Vulnerable Driver.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win8.1 Debug 6 | Win32 7 | 8 | 9 | Win8 Debug 10 | Win32 11 | 12 | 13 | Win7 Debug 14 | Win32 15 | 16 | 17 | Win8.1 Release 18 | Win32 19 | 20 | 21 | Win8 Release 22 | Win32 23 | 24 | 25 | Win7 Release 26 | Win32 27 | 28 | 29 | Win8.1 Debug 30 | x64 31 | 32 | 33 | Win8 Debug 34 | x64 35 | 36 | 37 | Win7 Debug 38 | x64 39 | 40 | 41 | Win8.1 Release 42 | x64 43 | 44 | 45 | Win8 Release 46 | x64 47 | 48 | 49 | Win7 Release 50 | x64 51 | 52 | 53 | 54 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F} 55 | {1bc93793-694f-48fe-9372-81e2b05556fd} 56 | v4.5 57 | 12.0 58 | Debug 59 | Win32 60 | Vulnerable_Driver 61 | $(LatestTargetPlatformVersion) 62 | 63 | 64 | 65 | Windows10 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | KMDF 70 | Universal 71 | 72 | 73 | Win7 74 | False 75 | WDM 76 | WindowsKernelModeDriver8.1 77 | Driver 78 | 79 | 80 | Win8 81 | False 82 | WDM 83 | WindowsKernelModeDriver8.1 84 | Driver 85 | 86 | 87 | WindowsV6.3 88 | False 89 | WDM 90 | WindowsKernelModeDriver8.1 91 | Driver 92 | 93 | 94 | Win7 95 | True 96 | WDM 97 | WindowsKernelModeDriver8.1 98 | Driver 99 | 100 | 101 | Win8 102 | True 103 | WDM 104 | WindowsKernelModeDriver8.1 105 | Driver 106 | 107 | 108 | WindowsV6.3 109 | True 110 | WDM 111 | WindowsKernelModeDriver8.1 112 | Driver 113 | 114 | 115 | Win7 116 | False 117 | WDM 118 | WindowsKernelModeDriver8.1 119 | Driver 120 | 121 | 122 | Win8 123 | False 124 | WDM 125 | WindowsKernelModeDriver8.1 126 | Driver 127 | 128 | 129 | WindowsV6.3 130 | False 131 | WDM 132 | WindowsKernelModeDriver8.1 133 | Driver 134 | 135 | 136 | Win7 137 | True 138 | WDM 139 | WindowsKernelModeDriver8.1 140 | Driver 141 | 142 | 143 | Win8 144 | True 145 | WDM 146 | WindowsKernelModeDriver8.1 147 | Driver 148 | 149 | 150 | WindowsV6.3 151 | True 152 | WDM 153 | WindowsKernelModeDriver8.1 154 | Driver 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | DbgengKernelDebugger 167 | 168 | 169 | DbgengKernelDebugger 170 | 171 | 172 | DbgengKernelDebugger 173 | 174 | 175 | DbgengKernelDebugger 176 | 177 | 178 | DbgengKernelDebugger 179 | 180 | 181 | DbgengKernelDebugger 182 | 183 | 184 | DbgengKernelDebugger 185 | 186 | 187 | DbgengKernelDebugger 188 | 189 | 190 | 191 | C:\Program Files (x86)\Windows Kits\8.1\Include\km;$(IntDir);%(AdditionalIncludeDirectories) 192 | 193 | 194 | 195 | 196 | false 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | -------------------------------------------------------------------------------- /Vulnerable Driver/Vulnerable Driver.vcxproj.BCK2: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win8.1 Debug 6 | Win32 7 | 8 | 9 | Win8 Debug 10 | Win32 11 | 12 | 13 | Win7 Debug 14 | Win32 15 | 16 | 17 | Win8.1 Release 18 | Win32 19 | 20 | 21 | Win8 Release 22 | Win32 23 | 24 | 25 | Win7 Release 26 | Win32 27 | 28 | 29 | Win8.1 Debug 30 | x64 31 | 32 | 33 | Win8 Debug 34 | x64 35 | 36 | 37 | Win7 Debug 38 | x64 39 | 40 | 41 | Win8.1 Release 42 | x64 43 | 44 | 45 | Win8 Release 46 | x64 47 | 48 | 49 | Win7 Release 50 | x64 51 | 52 | 53 | 54 | {6C15CA05-5B01-4E0E-8486-11C11DB8961F} 55 | $(MSBuildProjectName) 56 | Win8.1 Debug 57 | Win32 58 | {7A19C306-821B-4B04-8958-3AA34A048396} 59 | 60 | 61 | 62 | Win7 63 | False 64 | WDM 65 | WindowsKernelModeDriver8.1 66 | Driver 67 | 68 | 69 | Win8 70 | False 71 | WDM 72 | WindowsKernelModeDriver8.1 73 | Driver 74 | 75 | 76 | WindowsV6.3 77 | False 78 | WDM 79 | WindowsKernelModeDriver8.1 80 | Driver 81 | 82 | 83 | Win7 84 | True 85 | WDM 86 | WindowsKernelModeDriver8.1 87 | Driver 88 | 89 | 90 | Win8 91 | True 92 | WDM 93 | WindowsKernelModeDriver8.1 94 | Driver 95 | 96 | 97 | WindowsV6.3 98 | True 99 | WDM 100 | WindowsKernelModeDriver8.1 101 | Driver 102 | 103 | 104 | Win7 105 | False 106 | WDM 107 | WindowsKernelModeDriver8.1 108 | Driver 109 | 110 | 111 | Win8 112 | False 113 | WDM 114 | WindowsKernelModeDriver8.1 115 | Driver 116 | 117 | 118 | WindowsV6.3 119 | False 120 | WDM 121 | WindowsKernelModeDriver8.1 122 | Driver 123 | 124 | 125 | Win7 126 | True 127 | WDM 128 | WindowsKernelModeDriver8.1 129 | Driver 130 | 131 | 132 | Win8 133 | True 134 | WDM 135 | WindowsKernelModeDriver8.1 136 | Driver 137 | 138 | 139 | WindowsV6.3 140 | True 141 | WDM 142 | WindowsKernelModeDriver8.1 143 | Driver 144 | 145 | 146 | 147 | $(IntDir) 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | Vulnerable Driver 188 | 189 | 190 | Vulnerable Driver 191 | 192 | 193 | Vulnerable Driver 194 | 195 | 196 | Vulnerable Driver 197 | 198 | 199 | Vulnerable Driver 200 | 201 | 202 | Vulnerable Driver 203 | 204 | 205 | Vulnerable Driver 206 | 207 | 208 | Vulnerable Driver 209 | 210 | 211 | Vulnerable Driver 212 | 213 | 214 | Vulnerable Driver 215 | 216 | 217 | Vulnerable Driver 218 | 219 | 220 | Vulnerable Driver 221 | 222 | 223 | 224 | true 225 | Level4 226 | 227 | 228 | 229 | 230 | 231 | 232 | true 233 | Level4 234 | 235 | 236 | 237 | 238 | 239 | 240 | true 241 | Level4 242 | 243 | 244 | 245 | 246 | 247 | 248 | true 249 | Level4 250 | 251 | 252 | 253 | 254 | 255 | 256 | true 257 | Level4 258 | 259 | 260 | 261 | 262 | 263 | 264 | true 265 | Level4 266 | 267 | 268 | 269 | 270 | 271 | 272 | true 273 | Level4 274 | 275 | 276 | 277 | 278 | 279 | 280 | true 281 | Level4 282 | 283 | 284 | 285 | 286 | 287 | 288 | true 289 | Level4 290 | 291 | 292 | 293 | 294 | 295 | 296 | true 297 | Level4 298 | 299 | 300 | 301 | 302 | 303 | 304 | true 305 | Level4 306 | 307 | 308 | 309 | 310 | 311 | 312 | true 313 | Level4 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | --------------------------------------------------------------------------------