-
Notifications
You must be signed in to change notification settings - Fork 485
/
service.cpp
107 lines (85 loc) · 3.96 KB
/
service.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include "service.hpp"
bool service::RegisterAndStart(const std::wstring& driver_path) {
const static DWORD ServiceTypeKernel = 1;
const std::wstring driver_name = intel_driver::GetDriverNameW();
const std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + driver_name;
const std::wstring nPath = L"\\??\\" + driver_path;
HKEY dservice;
LSTATUS status = RegCreateKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &dservice); //Returns Ok if already exists
if (status != ERROR_SUCCESS) {
Log("[-] Can't create service key" << std::endl);
return false;
}
status = RegSetKeyValueW(dservice, NULL, L"ImagePath", REG_EXPAND_SZ, nPath.c_str(), (DWORD)(nPath.size()*sizeof(wchar_t)));
if (status != ERROR_SUCCESS) {
RegCloseKey(dservice);
Log("[-] Can't create 'ImagePath' registry value" << std::endl);
return false;
}
status = RegSetKeyValueW(dservice, NULL, L"Type", REG_DWORD, &ServiceTypeKernel, sizeof(DWORD));
if (status != ERROR_SUCCESS) {
RegCloseKey(dservice);
Log("[-] Can't create 'Type' registry value" << std::endl);
return false;
}
RegCloseKey(dservice);
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
if (ntdll == NULL) {
return false;
}
auto RtlAdjustPrivilege = (nt::RtlAdjustPrivilege)GetProcAddress(ntdll, "RtlAdjustPrivilege");
auto NtLoadDriver = (nt::NtLoadDriver)GetProcAddress(ntdll, "NtLoadDriver");
ULONG SE_LOAD_DRIVER_PRIVILEGE = 10UL;
BOOLEAN SeLoadDriverWasEnabled;
NTSTATUS Status = RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE, FALSE, &SeLoadDriverWasEnabled);
if (!NT_SUCCESS(Status)) {
Log("Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator." << std::endl);
return false;
}
std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + driver_name;
UNICODE_STRING serviceStr;
RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str());
Status = NtLoadDriver(&serviceStr);
Log("[+] NtLoadDriver Status 0x" << std::hex << Status << std::endl);
if (Status == 0xC0000603) { //STATUS_IMAGE_CERT_REVOKED
Log("[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver" << std::endl);
Log("[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config" << std::endl);
Log("[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0" << std::endl);
}
//Never should occur since kdmapper checks for "IsRunning" driver before
if (Status == 0xC000010E) {// STATUS_IMAGE_ALREADY_LOADED
return true;
}
return NT_SUCCESS(Status);
}
bool service::StopAndRemove(const std::wstring& driver_name) {
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
if (ntdll == NULL)
return false;
std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + driver_name;
UNICODE_STRING serviceStr;
RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str());
HKEY driver_service;
std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + driver_name;
LSTATUS status = RegOpenKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &driver_service);
if (status != ERROR_SUCCESS) {
if (status == ERROR_FILE_NOT_FOUND) {
return true;
}
return false;
}
RegCloseKey(driver_service);
auto NtUnloadDriver = (nt::NtUnloadDriver)GetProcAddress(ntdll, "NtUnloadDriver");
NTSTATUS st = NtUnloadDriver(&serviceStr);
Log("[+] NtUnloadDriver Status 0x" << std::hex << st << std::endl);
if (st != 0x0) {
Log("[-] Driver Unload Failed!!" << std::endl);
status = RegDeleteTreeW(HKEY_LOCAL_MACHINE, servicesPath.c_str());
return false; //lets consider unload fail as error because can cause problems with anti cheats later
}
status = RegDeleteTreeW(HKEY_LOCAL_MACHINE, servicesPath.c_str());
if (status != ERROR_SUCCESS) {
return false;
}
return true;
}