-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmap_file_internal.c
125 lines (97 loc) · 3.88 KB
/
map_file_internal.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#include <ntifs.h>
#include <ntddk.h>
#define SEC_IMAGE 0x1000000
typedef NTSTATUS (*fnMmCreateSection)(
OUT PVOID *SectionObject,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL,
IN PFILE_OBJECT File OPTIONAL
);
typedef NTSTATUS (*ptrMiCreateSection)(PVOID *a1, POBJECT_ATTRIBUTES a2, char a3, PLARGE_INTEGER *a4, ULONG a5, ULONG a6, char a7, HANDLE a8, PFILE_OBJECT a9, KPROCESSOR_MODE a10);
typedef NTSTATUS (*ptrMiMapViewInSystemSpace)(PVOID a,PVOID b,PVOID *c, PSIZE_T size, PULONG a3,ULONG mask OPTIONAL);
typedef NTSTATUS (*ptrMiRemoveFromSystemSpace)(PVOID Session,PVOID mappedbase,INT a1);
typedef NTSTATUS (*ptrIopCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG Disposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength,
CREATE_FILE_TYPE CreateFileType,
PVOID InternalParameters,
ULONG Options,
ULONG Flags,
PVOID pIoDriverCreateContext
);
VOID Unload(PDRIVER_OBJECT pdriver)
{
DbgPrint("\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING pregister)
{
NTSTATUS nStatus = STATUS_SUCCESS;
UNICODE_STRING uni;
OBJECT_ATTRIBUTES oa;
IO_STATUS_BLOCK io;
HANDLE handle;
FILE_STANDARD_INFORMATION fileinfo;
PVOID section = NULL;
PFILE_OBJECT fileobject = NULL;
SIZE_T viewsize = 0;
PVOID mappedbase = NULL;
ptrMiCreateSection MiCreateSection = NULL;
ptrMiMapViewInSystemSpace MiMapViewInSystemSpace = NULL;
ptrMiRemoveFromSystemSpace MiRemoveFromSystemSpace = NULL;
ptrIopCreateFile IopCreateFileWin81 = NULL;
PVOID buffer = NULL;
ULONG value = 0;
PVOID MmSession = 0xfffff801f73451e0;
IopCreateFileWin81 = (ptrIopCreateFile)0xfffff801f7444470;
MiCreateSection = (ptrMiCreateSection)0xfffff801f7436350;
MiMapViewInSystemSpace = (ptrMiMapViewInSystemSpace)0xfffff801f7493108;
MiRemoveFromSystemSpace = (ptrMiRemoveFromSystemSpace)0xfffff801f71399a4;
pdriver->DriverUnload = (PDRIVER_UNLOAD)Unload;
RtlInitUnicodeString(&uni, L"\\??\\C:\\Windows\\System32\\ntdll.dll");
InitializeObjectAttributes(&oa, &uni, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
nStatus = IopCreateFileWin81(&handle, FILE_GENERIC_READ | SYNCHRONIZE, &oa,
&io, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0,
CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING, 0, NULL);
if (NT_SUCCESS(nStatus))
{
InitializeObjectAttributes(&oa, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
RtlSecureZeroMemory(&fileinfo, sizeof(FILE_STANDARD_INFORMATION));
nStatus = ZwQueryInformationFile(handle, &io, &fileinfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
if (NT_SUCCESS(nStatus))
{
nStatus = ObReferenceObjectByHandle(handle, FILE_GENERIC_READ | SYNCHRONIZE, *IoFileObjectType, KernelMode, &fileobject, NULL);
if (NT_SUCCESS(nStatus))
{
nStatus = MiCreateSection(§ion,NULL,2,&fileinfo.EndOfFile.QuadPart,PAGE_READWRITE,SEC_COMMIT,0,handle,fileobject,KernelMode);
if (NT_SUCCESS(nStatus))
{
nStatus = MiMapViewInSystemSpace(section, MmSession, &mappedbase, &viewsize,&value,0);
if (NT_SUCCESS(nStatus))
{
DbgPrint("\r\nSection successfully mapped in system space");
}
}
ObfDereferenceObject(fileobject);
}
}
}
if (handle)
ZwClose(handle);
if (mappedbase)
MiRemoveFromSystemSpace(MmSession, mappedbase, 0);
return nStatus;
}