-
Notifications
You must be signed in to change notification settings - Fork 3
/
vmwp_util.c
117 lines (93 loc) · 3.31 KB
/
vmwp_util.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#include "pch.h"
#include "tdriver.h"
BOOLEAN TdProcessNotifyRoutineSet2 = FALSE;
DRIVER_INITIALIZE DriverEntry;
_Dispatch_type_(IRP_MJ_CREATE) DRIVER_DISPATCH TdDeviceCreate;
DRIVER_UNLOAD TdDeviceUnload;
typedef struct _OSR_WORK_ITEM
{
WORK_QUEUE_ITEM WorkItem;
PVOID Process;
} OSR_WORK_ITEM, *POSR_WORK_ITEM;
int MitigationFlags = 0;
char SignatureLevel = 0;
char SectionSignatureLevel = 0;
PVOID vmwpProcess;
VOID WorkRoutine(PVOID Parameter)
{
ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
POSR_WORK_ITEM OsrWorkItem = (POSR_WORK_ITEM)Parameter;
LARGE_INTEGER delay;
delay.QuadPart = -10000 * 2000;
// KeDelayExecutionThread(KernelMode, FALSE, &delay);
if (STATUS_SUCCESS == KeDelayExecutionThread(KernelMode, FALSE, &delay))
{
vmwpProcess = OsrWorkItem->Process;
memset(((char *)OsrWorkItem->Process) + 0x850, 0, sizeof(int)); // +0x850 MitigationFlags : Uint4B
memset(((char *)OsrWorkItem->Process) + 0x6f8, 0, sizeof(char)); // +0x6f8 SignatureLevel : UChar
memset(((char *)OsrWorkItem->Process) + 0x6f9, 0, sizeof(char)); // + 0x6f9 SectionSignatureLevel : UChar
}
ExFreePool(OsrWorkItem);
}
VOID TdCreateProcessNotifyRoutine2(
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo)
{
UNREFERENCED_PARAMETER(ProcessId);
if (CreateInfo != NULL)
{
UNICODE_STRING vmwp = RTL_CONSTANT_STRING(L"\\??\\C:\\Windows\\System32\\vmwp.exe");
if (RtlCompareUnicodeString(&vmwp, CreateInfo->ImageFileName, TRUE) == 0)
{
POSR_WORK_ITEM OsrWorkItem;
OsrWorkItem = ExAllocatePool(NonPagedPool, sizeof(OSR_WORK_ITEM));
OsrWorkItem->Process = (PVOID)Process;
ExInitializeWorkItem(&OsrWorkItem->WorkItem, WorkRoutine, OsrWorkItem);
ExQueueWorkItem(&OsrWorkItem->WorkItem, DelayedWorkQueue);
}
}
}
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath)
{
NTSTATUS Status;
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->MajorFunction[IRP_MJ_CREATE] = TdDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = TdDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = TdDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TdDeviceCreate;
DriverObject->DriverUnload = TdDeviceUnload;
Status = PsSetCreateProcessNotifyRoutineEx(TdCreateProcessNotifyRoutine2, FALSE);
if (!NT_SUCCESS(Status))
{
///__debugbreak();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ObCallbackTest: DriverEntry: PsSetCreateProcessNotifyRoutineEx(2) returned 0x%x\n", Status);
return Status;
}
TdProcessNotifyRoutineSet2 = TRUE;
return Status;
}
VOID TdDeviceUnload(
_In_ PDRIVER_OBJECT DriverObject)
{
NTSTATUS Status = STATUS_SUCCESS;
UNREFERENCED_PARAMETER(DriverObject);
if (TdProcessNotifyRoutineSet2 == TRUE)
{
Status = PsSetCreateProcessNotifyRoutineEx(TdCreateProcessNotifyRoutine2, TRUE);
}
}
NTSTATUS
TdDeviceCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}