Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Niemand
committed
Jun 24, 2019
1 parent
b2bc97c
commit fdadb8a
Showing
7 changed files
with
321 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
# DriverHelper | ||
|
||
## Introduction | ||
|
||
|
||
## Usage | ||
|
||
This module provides all key features required to exploit and communicate with a Driver. | ||
|
||
## Key Features | ||
|
||
Class DriverHelper will provide the following method: | ||
|
||
- static int memmem(PBYTE haystack, DWORD haystack_size, PBYTE needle, DWORD needle_size); | ||
- static int getDeviceHandle(LPTSTR name); | ||
- static unsigned __int64 __fastcall ExpLookupHandleTableEntryW7(__int64 HandleTable, unsigned __int64 handle); | ||
- static unsigned __int64 __fastcall ExpLookupHandleTableEntryW10(__int64 HandleTable, __int64 handle); | ||
- static ULONG64 findPhisical_ObjectTable(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); | ||
- static DWORDLONG findPhisical(DWORDLONG startAddress, DWORDLONG stopAddress, DWORD searchSpace, PBYTE searchBuffer, DWORD bufferSize); | ||
|
||
|
||
## Usefull Structures: | ||
|
||
EPROCESS pattern: | ||
``` | ||
typedef struct { | ||
CHAR ImageFileName[15]; | ||
DWORD PriorityClass; | ||
} _EPROCESS_PATTERN; | ||
``` | ||
|
||
Read physicalAddress: | ||
``` | ||
typedef struct _READ_REQUEST { | ||
DWORD InterfaceType; | ||
DWORD Bus; | ||
ULONG64 PhysicalAddress; | ||
DWORD IOSpace; | ||
DWORD size; | ||
} READ_REQUEST; | ||
``` | ||
|
||
Write physicalAddress: | ||
``` | ||
typedef struct _WRITE_REQUEST { | ||
DWORDLONG address; | ||
DWORD length; | ||
DWORDLONG buffer; | ||
} WRITE_REQUEST; | ||
``` | ||
|
||
Structure for memcpy using VA: | ||
``` | ||
typedef struct _MEMCPY_REQUEST { | ||
ULONG64 dest; | ||
ULONG64 src; | ||
DWORD size; | ||
} MEMCPY_REQUEST; | ||
``` | ||
|
||
HANDLE_TABLE_ENTRY: | ||
``` | ||
typedef struct _HANDLE_TABLE_ENTRY | ||
{ | ||
ULONGLONG Value; | ||
ULONGLONG GrantedAccess : 25; | ||
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; | ||
``` | ||
|
||
HANDLE_TABLE:_ | ||
``` | ||
typedef struct _HANDLE_TABLE | ||
{ | ||
CHAR fill[100]; | ||
} HANDLE_TABLE, *PHANDLE_TABLE; | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# DriverTester | ||
|
||
## Introduction | ||
|
||
|
||
## Usage | ||
|
||
This module exploits **Razer Synapse rzpnk.sys (2.20.15.1104) - CVE-2017-9769** to open a new HANDLE to the game from kernel mode. Then it attempts to access to the memory of the game by using this handle. | ||
|
||
> A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process. | ||
References | ||
|
||
__Actions that this module attemps:__ | ||
|
||
- ReadProcessMemory | ||
- WriteProcessMemory | ||
- ntReadVirtualMemory | ||
- ntWriteVirtualMemory | ||
- ZwReadVirtualMemory | ||
- ZwWriteVirtualMemory | ||
|
||
## Configuration | ||
|
||
This module requires configuration: | ||
|
||
- The following variables in config.ini need to the provided: | ||
|
||
[Addresses] | ||
``` | ||
RPMAddressHigh=0x1 | ||
RPMAddressLow=0x58A60000 | ||
RPMAddress=0x0 | ||
WPMAddressHigh=0x00000000 | ||
WPMAddressLow=0x58A60000 | ||
WPMAddress=0x0 | ||
ntRVMAddressHigh=0x00000000 | ||
ntRVMAddressLow=0x58A60000 | ||
ntRVMAddress=0x0 | ||
ntWVMAddressHigh=0x00000000 | ||
ntWVMAddressLow=0x58A60000 | ||
ntWVMAddress=0x0 | ||
ZwRVMAddressHigh=0x00000000 | ||
ZwRVMAddressLow=0x58A60000 | ||
ZwRVMAddress=0x0 | ||
ZwWVMAddressHigh=0x00000000 | ||
ZwWVMAddressLow=0x58A60000 | ||
ZwWVMAddress=0x0 | ||
``` | ||
|
||
|
||
[Buffers] | ||
``` | ||
#SIZE MUST BE SIZE+1 | ||
RPMBuffer=TTTT1 | ||
RPMBufferSize=0x6 | ||
WPMBuffer=TTTT2 | ||
WPMBufferSize=0x6 | ||
ntRVMBuffer=TTTT4 | ||
ntRVMBufferSize=0x6 | ||
ntWVMBuffer=TTTT5 | ||
ntWVMBufferSize=0x6 | ||
ZwRVMBuffer=TTTT6 | ||
ZwRVMBufferSize=0x6 | ||
ZwWVMBuffer=TTTT7 | ||
ZwWVMBufferSize=0x6 | ||
``` | ||
|
||
[Strings] | ||
``` | ||
targetProc=r5apex.exe | ||
``` | ||
|
||
## Combination with other techniques | ||
|
||
- **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. | ||
|
||
|
||
## Links | ||
|
||
https://warroom.rsmus.com/cve-2017-9769/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# StealthHandleHijackingMaster | ||
|
||
## Introduction | ||
|
||
|
||
## Usage | ||
|
||
This module is used combinaded with **StealthHandleHijackingDLL**. This is the "command and control" implementation. Has to be executed before injecting the DLL. | ||
|
||
HandleHijakingMaster will create a FileMapping (Share Memory) that this module uses to receive instructions and then return information to the master (where all the bot logic should be located). | ||
|
||
## Configuration | ||
|
||
This module requires configuration: | ||
|
||
- The following variables in config.ini need to the provided: | ||
|
||
[Addresses] | ||
``` | ||
RPMAddressHigh=0x1 | ||
RPMAddressLow=0x58A60000 | ||
RPMAddress=0x0 | ||
WPMAddressHigh=0x00000000 | ||
WPMAddressLow=0x58A60000 | ||
WPMAddress=0x0 | ||
ntRVMAddressHigh=0x00000000 | ||
ntRVMAddressLow=0x58A60000 | ||
ntRVMAddress=0x0 | ||
ntWVMAddressHigh=0x00000000 | ||
ntWVMAddressLow=0x58A60000 | ||
ntWVMAddress=0x0 | ||
ZwRVMAddressHigh=0x00000000 | ||
ZwRVMAddressLow=0x58A60000 | ||
ZwRVMAddress=0x0 | ||
ZwWVMAddressHigh=0x00000000 | ||
ZwWVMAddressLow=0x58A60000 | ||
ZwWVMAddress=0x0 | ||
``` | ||
|
||
[Handles] | ||
|
||
``` | ||
requestHandleFM=0x15FC | ||
``` | ||
|
||
[Buffers] | ||
``` | ||
#SIZE MUST BE SIZE+1 | ||
RPMBuffer=TTTT1 | ||
RPMBufferSize=0x6 | ||
WPMBuffer=TTTT2 | ||
WPMBufferSize=0x6 | ||
ntRVMBuffer=TTTT4 | ||
ntRVMBufferSize=0x6 | ||
ntWVMBuffer=TTTT5 | ||
ntWVMBufferSize=0x6 | ||
ZwRVMBuffer=TTTT6 | ||
ZwRVMBufferSize=0x6 | ||
ZwWVMBuffer=TTTT7 | ||
ZwWVMBufferSize=0x6 | ||
``` | ||
|
||
[Strings] | ||
``` | ||
targetProc=BlackDesert64.exe | ||
privotProc=lsass.exe | ||
#Edit in DLL if you changed it here | ||
fileMapName=Global\StealthHijacking | ||
``` | ||
|
||
## Combination with other techniques | ||
|
||
- **RUNASKINVOKER**: By executing the game using this options we will prevent the Anti-cheat to fully protect the game end load the driver. | ||
|
||
|