Implement clearing of PiDDBCacheTable

2019-10-25 23:04:37 +03:00
parent a70e816208
commit 4408833cde
5 changed files with 231 additions and 2 deletions
--- a/swhinjector/src/intel_driver.cpp
+++ b/swhinjector/src/intel_driver.cpp
@@ -37,6 +37,7 @@ void intel_driver::Unload(HANDLE device_handle)
 	std::cout << "[<] Unloading vulnerable driver" << std::endl;
 	ClearMmUnloadedDrivers(device_handle);
 	ClearPiDDBCacheTable(device_handle);
 	CloseHandle(device_handle);
 	service::StopAndRemove(driver_name);
@@ -368,3 +369,176 @@ bool intel_driver::ClearMmUnloadedDrivers(HANDLE device_handle)
 	return true;
 }
 bool LocatePiDDB(HANDLE device_handle, uint64_t* lock, uint64_t* table) {
 	auto kernel_base = utils::GetKernelModuleAddress("ntoskrnl.exe");
 	if (!kernel_base)
 		return false;
 	IMAGE_DOS_HEADER dos_header;
 	intel_driver::ReadMemory(device_handle, kernel_base, &dos_header, sizeof(dos_header));
 	if (dos_header.e_magic != IMAGE_DOS_SIGNATURE)
 		return false;
 	IMAGE_NT_HEADERS nt_headers;
 	intel_driver::ReadMemory(device_handle, kernel_base + dos_header.e_lfanew, &nt_headers, sizeof(nt_headers));
 	if (nt_headers.Signature != IMAGE_NT_SIGNATURE)
 		return false;
 	std::vector<uint8_t> ntoskrnl_file(nt_headers.OptionalHeader.SizeOfImage);
 	if (!intel_driver::ReadMemory(device_handle, kernel_base, ntoskrnl_file.data(), nt_headers.OptionalHeader.SizeOfImage))
 		return false;
 	auto lock_sig = utils::FindPatternInVector(ntoskrnl_file, "48 8D 0D ? ? ? ? E8 ? ? ? ? 48 8B 0D ? ? ? ? 33 DB");
 	if (!lock_sig)
 		return false;
 	auto table_sig = utils::FindPatternInVector(ntoskrnl_file, "48 8D 0D ? ? ? ? E8 ? ? ? ? 3D ? ? ? ? 0F 83 ? ? ? ?");
 	if (!table_sig)
 		return false;
 	int lock_rel_addr;
 	if (!intel_driver::ReadMemory(device_handle, kernel_base + lock_sig + 3, &lock_rel_addr, sizeof(lock_rel_addr)))
 		return false;
 	int table_rel_addr;
 	if (!intel_driver::ReadMemory(device_handle, kernel_base + table_sig + 3, &table_rel_addr, sizeof(table_rel_addr)))
 		return false;
 	auto lock_addr = lock_sig + lock_rel_addr + 7;
 	auto table_addr = table_sig + table_rel_addr + 7;
 	*lock = kernel_base + lock_addr;
 	*table = kernel_base + table_addr;
 	return true;
 }
 bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
 	uint64_t piddb_lock;
 	uint64_t piddb_cache_table;
 	if (!LocatePiDDB(device_handle, &piddb_lock, &piddb_cache_table))
 		return false;
 	// build lookup entry
 	nt::PiDDBCacheEntry lookup_entry{};
 	RtlInitUnicodeString(&lookup_entry.DriverName, L"iqvw64e.sys");
 	lookup_entry.TimeDateStamp = 0x5284EAC3;
 	// lock the table for safety
 	if (!ExAcquireResourceExclusiveLite(device_handle, piddb_lock, TRUE))
 		return false;
 	auto found_entry = (nt::PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(device_handle, piddb_cache_table, &lookup_entry);
 	if (!found_entry) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
 	// remove the entry from the list
 	if (!RemoveEntryList(device_handle, &found_entry->List)) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
 	// remove the entry from the table
 	if (!RtlDeleteElementGenericTableAvl(device_handle, piddb_cache_table, &found_entry)) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
 	// unlock the table
 	ExReleaseResourceLite(device_handle, piddb_lock);
 	return true;
 }
 void* intel_driver::RtlLookupElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer)
 {
 	if (!table || !buffer)
 		return 0;
 	static uint64_t kernel_RtlLookupElementGenericTableAvl = 0;
 	if (!kernel_RtlLookupElementGenericTableAvl)
 		kernel_RtlLookupElementGenericTableAvl = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("ntoskrnl.exe"), "RtlLookupElementGenericTableAvl");
 	void* result = 0;
 	if (!CallKernelFunction(device_handle, &result, kernel_RtlLookupElementGenericTableAvl, table, buffer))
 		return 0;
 	return result;
 }
 bool intel_driver::RtlDeleteElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer)
 {
 	if (!table || !buffer)
 		return false;
 	static uint64_t kernel_RtlDeleteElementGenericTableAvl = false;
 	if (!kernel_RtlDeleteElementGenericTableAvl)
 		kernel_RtlDeleteElementGenericTableAvl = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("ntoskrnl.exe"), "RtlDeleteElementGenericTableAvl");
 	bool result = false;
 	if (!CallKernelFunction(device_handle, &result, kernel_RtlDeleteElementGenericTableAvl, table, buffer))
 		return 0;
 	return result;
 }
 bool intel_driver::ExAcquireResourceExclusiveLite(HANDLE device_handle, uint64_t resource, BOOLEAN wait)
 {
 	if (!resource)
 		return false;
 	static uint64_t kernel_ExAcquireResourceExclusiveLite = false;
 	if (!kernel_ExAcquireResourceExclusiveLite)
 		kernel_ExAcquireResourceExclusiveLite = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExAcquireResourceExclusiveLite");
 	bool result = false;
 	if (!CallKernelFunction(device_handle, &result, kernel_ExAcquireResourceExclusiveLite, resource, wait))
 		return 0;
 	return result;
 }
 void intel_driver::ExReleaseResourceLite(HANDLE device_handle, uint64_t resource)
 {
 	if (!resource)
 		return;
 	static uint64_t kernel_ExReleaseResourceLite = false;
 	if (!kernel_ExReleaseResourceLite)
 		kernel_ExReleaseResourceLite = GetKernelModuleExport(device_handle, utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExReleaseResourceLite");
 	CallKernelFunction<void>(device_handle, nullptr, kernel_ExReleaseResourceLite, resource);
 }
 bool intel_driver::RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry)
 {
 	constexpr auto flink_offset = offsetof(LIST_ENTRY, Flink);
 	constexpr auto blink_offset = offsetof(LIST_ENTRY, Blink);
 	PLIST_ENTRY flink;
 	PLIST_ENTRY blink;
 	if (!ReadMemory(device_handle, (uint64_t)Entry + flink_offset, &flink, sizeof(flink)))
 		return false;
 	if (!ReadMemory(device_handle, (uint64_t)Entry + blink_offset, &blink, sizeof(blink)))
 		return false;
 	if (!WriteMemory(device_handle, (uint64_t)blink + flink_offset, &flink, sizeof(flink)))
 		return false;
 	if (!WriteMemory(device_handle, (uint64_t)flink + blink_offset, &blink, sizeof(blink)))
 		return false;
 	return true;
 }
--- a/swhinjector/src/intel_driver.hpp
+++ b/swhinjector/src/intel_driver.hpp
@@ -77,6 +77,14 @@ namespace intel_driver
 	uint64_t GetKernelModuleExport(HANDLE device_handle, uint64_t kernel_module_base, const std::string& function_name);
 	bool GetNtGdiDdDDIReclaimAllocations2KernelInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint64_t* out_kernel_original_function_address);
 	bool ClearMmUnloadedDrivers(HANDLE device_handle);
 	bool ClearPiDDBCacheTable(HANDLE device_handle);
 	void* RtlLookupElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
 	bool RtlDeleteElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
 	bool ExAcquireResourceExclusiveLite(HANDLE device_handle, uint64_t resource, BOOLEAN wait);
 	void ExReleaseResourceLite(HANDLE device_handle, uint64_t resource);
 	bool RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry);
 	template<typename T, typename ...A>
 	bool CallKernelFunction(HANDLE device_handle, T* out_result, uint64_t kernel_function_address, const A ...arguments)
--- a/swhinjector/src/nt.hpp
+++ b/swhinjector/src/nt.hpp
@@ -76,4 +76,21 @@ namespace nt
 		ULONG NumberOfModules;
 		RTL_PROCESS_MODULE_INFORMATION Modules[1];
 	} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 	typedef struct _RTL_BALANCED_LINKS
 	{
 		struct _RTL_BALANCED_LINKS* Parent;
 		struct _RTL_BALANCED_LINKS* LeftChild;
 		struct _RTL_BALANCED_LINKS* RightChild;
 		CHAR Balance;
 		UCHAR Reserved[3];
 	} RTL_BALANCED_LINKS, * PRTL_BALANCED_LINKS;
 	struct PiDDBCacheEntry {
 		LIST_ENTRY		List;
 		UNICODE_STRING	DriverName;
 		ULONG			TimeDateStamp;
 		NTSTATUS		LoadStatus;
 		char			_0x0028[16]; // data from the shim engine, or uninitialized memory for custom drivers
 	};
 }
--- a/swhinjector/src/utils.cpp
+++ b/swhinjector/src/utils.cpp
@@ -66,3 +66,31 @@ uint64_t utils::GetKernelModuleAddress(const std::string& module_name)
 	VirtualFree(buffer, 0, MEM_RELEASE);
 	return 0;
 }
 uint64_t utils::FindPatternInVector(const std::vector<uint8_t>& vector, const std::string& pattern) {
 	using sig_byte = std::pair<uint8_t, bool>;
 	std::vector<sig_byte> sig;
 	for (auto i = 0; i < pattern.length() - 1; i += 2) {
 		if (pattern[i] == '?') {
 			sig.emplace_back(std::make_pair('\x00', true));
 		}
 		else {
 			sig.emplace_back(std::make_pair((uint8_t)std::stoi(pattern.substr(i, 2), nullptr, 16), false));
 			i++;
 		}
 	}
 	auto offset = std::search(
 		vector.begin(),
 		vector.end(),
 		sig.begin(), sig.end(),
 		[](uint8_t current_byte, sig_byte current_sig_byte) {
 			// if wildcard or matching
 			return current_sig_byte.second || (current_byte == current_sig_byte.first);
 		});
 	std::vector<uint8_t> result(offset, offset + sig.size());
 	return offset == vector.end() ? 0 : std::distance(vector.begin(), offset);
 }
--- a/swhinjector/src/utils.hpp
+++ b/swhinjector/src/utils.hpp
@@ -6,6 +6,7 @@
 #include <string>
 #include <iostream>
 #include <fstream>
 #include <algorithm>
 #include "nt.hpp"
@@ -14,4 +15,5 @@ namespace utils
 	bool ReadFileToMemory(const std::string& file_path, std::vector<uint8_t>* out_buffer);
 	bool CreateFileFromMemory(const std::string& desired_file_path, const char* address, size_t size);
 	uint64_t GetKernelModuleAddress(const std::string& module_name);
 	uint64_t FindPatternInVector(const std::vector<uint8_t>& vector, const std::string& pattern);
 }