Permalink
Browse files

Delete DSE disabling, update README, solve warnings

  • Loading branch information...
tandasat committed Jul 24, 2015
1 parent a32b7b0 commit 2843373d6b7e35fef3eec73e353e2531d029acff
View
@@ -1,12 +1,18 @@

Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Express 2013 for Windows Desktop
-VisualStudioVersion = 12.0.30110.0
+# Visual Studio 14
+VisualStudioVersion = 14.0.23107.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisPG", "DisPG\DisPG.vcxproj", "{74FA6A70-EA29-4787-A49C-1F33ADCE08F7}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DisPGLoader", "DisPGLoader\DisPGLoader.vcxproj", "{71E81282-4D39-4A23-B1D6-953D9754E8B2}"
EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{24642E83-0F96-438F-9FF2-CF067ADE394C}"
+ ProjectSection(SolutionItems) = preProject
+ NOTE.md = NOTE.md
+ README.md = README.md
+ EndProjectSection
+EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
View
@@ -4,7 +4,6 @@
//
#include "stdafx.h"
#include "util.h"
-#include "rootkit.h"
#include "win8.h"
#include "winX.h"
@@ -62,12 +61,6 @@ NTSTATUS DispgpLoadPointerVaule(
EXTERN_C static
NTSTATUS DispgpDisablePatchGuard();
-EXTERN_C static
-NTSTATUS DispgpEnableRootkitFunction();
-
-EXTERN_C static
-void DispgpDisableSigningEnforcement();
-
EXTERN_C static
bool DispgpIsWindows8OrGreater();
@@ -93,7 +86,6 @@ static ULONG64 g_KernelVersion = 0;
// always
static ULONG_PTR g_ExAcquireResourceSharedLite = 0;
// ifVistaOr7
-static BOOLEAN* g_CiEnabled = nullptr;
static POOL_TRACKER_BIG_PAGES** g_PoolBigPageTable = nullptr;
// ifXp
static POOL_TRACKER_BIG_PAGES_XP** g_PoolBigPageTableXp = nullptr;
@@ -107,7 +99,6 @@ static ULONG_PTR g_KiCommitThreadWait = 0;
static ULONG_PTR g_KiAttemptFastRemovePriQueue = 0;
static ULONG_PTR g_KeDelayExecutionThread = 0;
static ULONG_PTR g_KeWaitForSingleObject = 0;
-static UINT32* g_CiOptions = nullptr;
////////////////////////////////////////////////////////////////////////////////
@@ -124,50 +115,31 @@ NTSTATUS DriverEntry(
{
PAGED_CODE();
- //DBG_BREAK();
+ DBG_BREAK();
- DBG_PRINT("[%4x:%4x] Initialize : Starting DisPG.\n",
- PsGetCurrentProcessId(), PsGetCurrentThreadId());
+ DBG_PRINT("[%5Iu:%5Iu] Initialize : Starting DisPG.\n",
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
auto status = DispgpInitialize(RegistryPath);
if (!NT_SUCCESS(status))
{
return status;
}
- // Disable PatchGuard. This function has to be called before
- // DispgpEnableRootkitFunction or DispgpDisableSigningEnforcement as these
- // functions install kernel patches.
+ // Disable PatchGuard.
status = DispgpDisablePatchGuard();
if (!NT_SUCCESS(status))
{
return status;
}
- DBG_PRINT("[%4x:%4x] Initialize : PatchGuard has been disarmed.\n",
- PsGetCurrentProcessId(), PsGetCurrentThreadId());
-
- //// Enables rootkit function by installing kernel patches. The driver should
- //// never be unloaded after this function succeeded as it installs hook code
- //// that calls this driver.
- //status = DispgpEnableRootkitFunction();
- //if (!NT_SUCCESS(status))
- //{
- // return status;
- //}
- //DBG_PRINT("[%4x:%4x] Initialize : Hiding processes has been enabled.\n",
- // PsGetCurrentProcessId(), PsGetCurrentThreadId());
-
- // Disable DSE if applicable
- if (!DispgpIsWindowsXp())
- {
- DispgpDisableSigningEnforcement();
- DBG_PRINT("[%4x:%4x] Initialize : Driver Signing Enforcement has been"
- " disabled.\n",
- PsGetCurrentProcessId(), PsGetCurrentThreadId());
- }
+ DBG_PRINT("[%5Iu:%5Iu] Initialize : PatchGuard has been disarmed.\n",
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
- DBG_PRINT("[%4x:%4x] Initialize : Enjoy freedom ;)\n",
- PsGetCurrentProcessId(), PsGetCurrentThreadId());
+ DBG_PRINT("[%5Iu:%5Iu] Initialize : Enjoy freedom ;)\n",
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentProcessId()),
+ reinterpret_cast<ULONG_PTR>(PsGetCurrentThreadId()));
return status;
}
@@ -260,7 +232,6 @@ NTSTATUS DispgpLoadSymbolAddresses(
const SymbolSet requireSymbols[] =
{
{ L"ntoskrnl!ExAcquireResourceSharedLite", reinterpret_cast<void**>(&g_ExAcquireResourceSharedLite), always, },
- { L"ntoskrnl!g_CiEnabled", reinterpret_cast<void**>(&g_CiEnabled), ifVistaOr7, },
{ L"ntoskrnl!PoolBigPageTable", reinterpret_cast<void**>(&g_PoolBigPageTable), ifVistaOr7, },
{ L"ntoskrnl!PoolBigPageTable", reinterpret_cast<void**>(&g_PoolBigPageTableXp), ifXp, },
{ L"ntoskrnl!PoolBigPageTableSize", reinterpret_cast<void**>(&g_PoolBigPageTableSize), ifNot8OrGreater, },
@@ -271,7 +242,6 @@ NTSTATUS DispgpLoadSymbolAddresses(
{ L"ntoskrnl!KiAttemptFastRemovePriQueue", reinterpret_cast<void**>(&g_KiAttemptFastRemovePriQueue), if8OrGreater, },
{ L"ntoskrnl!KeDelayExecutionThread", reinterpret_cast<void**>(&g_KeDelayExecutionThread), if8OrGreater, },
{ L"ntoskrnl!KeWaitForSingleObject", reinterpret_cast<void**>(&g_KeWaitForSingleObject), if8OrGreater, },
- { L"ci!g_CiOptions", reinterpret_cast<void**>(&g_CiOptions), if8OrGreater, },
};
// Load each symbol from the registry if required
@@ -391,64 +361,6 @@ NTSTATUS DispgpDisablePatchGuard()
}
-// Enable hiding processes function
-ALLOC_TEXT(INIT, DispgpEnableRootkitFunction)
-EXTERN_C static
-NTSTATUS DispgpEnableRootkitFunction()
-{
- PAGED_CODE();
- auto status = STATUS_UNSUCCESSFUL;
-
- if ((g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 3)
- || (g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 1))
- {
- // For Win 8 and 7
- status = RootkitEnableRootkit(
- 18,
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_Win8_1),
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_Win8_1End));
- }
- else if (g_WindowsVersion.dwMajorVersion == 6 && g_WindowsVersion.dwMinorVersion == 0)
- {
- // For Win Vista
- status = RootkitEnableRootkit(
- 18,
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinVista),
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinVistaEnd));
- }
- else if (DispgpIsWindowsXp())
- {
- // For Win XP
- status = RootkitEnableRootkit(
- 18,
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinXp),
- reinterpret_cast<ULONG_PTR>(AsmNtQuerySystemInformation_WinXpEnd));
- }
- return status;
-}
-
-
-// Disable Driver Signing Enforcement. This function should never been called
-// on Win XP since it has no Driver Signing Enforcement on the platform.
-ALLOC_TEXT(INIT, DispgpDisableSigningEnforcement)
-EXTERN_C static
-void DispgpDisableSigningEnforcement()
-{
- PAGED_CODE();
-
- if (DispgpIsWindows8OrGreater())
- {
- // For Win 8.1
- *g_CiOptions = 0;
- }
- else
- {
- // For Win 7 and Vista
- *g_CiEnabled = FALSE;
- }
-}
-
-
// Return true if the platform is Win 8 or later
ALLOC_TEXT(INIT, DispgpIsWindows8OrGreater)
EXTERN_C static
View
@@ -1,18 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
- <ProjectConfiguration Include="Debug|Win32">
- <Configuration>Debug</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
- <ProjectConfiguration Include="Release|Win32">
- <Configuration>Release</Configuration>
- <Platform>Win32</Platform>
- </ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
@@ -24,25 +16,12 @@
<RootNamespace>DisPG</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>true</UseDebugLibraries>
- <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
- <CharacterSet>NotSet</CharacterSet>
- </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<CharacterSet>NotSet</CharacterSet>
</PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
- <ConfigurationType>Application</ConfigurationType>
- <UseDebugLibraries>false</UseDebugLibraries>
- <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
- <WholeProgramOptimization>true</WholeProgramOptimization>
- <CharacterSet>NotSet</CharacterSet>
- </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
@@ -53,58 +32,23 @@
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
- <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
- </ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <LinkIncremental>false</LinkIncremental>
- <TargetExt>.sys</TargetExt>
- </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetExt>.sys</TargetExt>
<CodeAnalysisRuleSet>..\..\..\..\Program Files (x86)\Windows Kits\8.1\CodeAnalysis\DriverRecommendedRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis>
</PropertyGroup>
- <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <LinkIncremental>false</LinkIncremental>
- <TargetExt>.sys</TargetExt>
- </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetExt>.sys</TargetExt>
</PropertyGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
- <ClCompile>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <WarningLevel>Level4</WarningLevel>
- <Optimization>Disabled</Optimization>
- <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <SDLCheck>true</SDLCheck>
- <AdditionalIncludeDirectories>$(WindowsSdkDir)Include\km</AdditionalIncludeDirectories>
- <TreatWarningAsError>false</TreatWarningAsError>
- </ClCompile>
- <Link>
- <SubSystem>Native</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <AdditionalLibraryDirectories>$(WindowsSdkDir)Lib\winv6.3\km\$(PlatformTarget)</AdditionalLibraryDirectories>
- <AdditionalDependencies>ntoskrnl.lib;wdm.lib;wmilib.lib;hal.lib;bufferoverflowK.lib</AdditionalDependencies>
- <Driver>Driver</Driver>
- <EntryPointSymbol>GsDriverEntry@8</EntryPointSymbol>
- <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
- </Link>
- </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
@@ -128,31 +72,6 @@
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
</Link>
</ItemDefinitionGroup>
- <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
- <ClCompile>
- <WarningLevel>Level4</WarningLevel>
- <PrecompiledHeader>
- </PrecompiledHeader>
- <Optimization>MaxSpeed</Optimization>
- <FunctionLevelLinking>true</FunctionLevelLinking>
- <IntrinsicFunctions>true</IntrinsicFunctions>
- <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
- <SDLCheck>true</SDLCheck>
- <AdditionalIncludeDirectories>$(WindowsSdkDir)Include\km</AdditionalIncludeDirectories>
- <TreatWarningAsError>false</TreatWarningAsError>
- </ClCompile>
- <Link>
- <SubSystem>Native</SubSystem>
- <GenerateDebugInformation>true</GenerateDebugInformation>
- <EnableCOMDATFolding>true</EnableCOMDATFolding>
- <OptimizeReferences>true</OptimizeReferences>
- <AdditionalLibraryDirectories>$(WindowsSdkDir)Lib\winv6.3\km\$(PlatformTarget)</AdditionalLibraryDirectories>
- <AdditionalDependencies>ntoskrnl.lib;wdm.lib;wmilib.lib;hal.lib;bufferoverflowK.lib</AdditionalDependencies>
- <Driver>Driver</Driver>
- <EntryPointSymbol>GsDriverEntry@8</EntryPointSymbol>
- <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
- </Link>
- </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
@@ -181,7 +100,6 @@
<ItemGroup>
<ClCompile Include="DisPG.cpp" />
<ClCompile Include="exclusivity.cpp" />
- <ClCompile Include="rootkit.cpp" />
<ClCompile Include="stdafx.cpp" />
<ClCompile Include="util.cpp" />
<ClCompile Include="win8.cpp" />
@@ -193,7 +111,6 @@
<ClInclude Include="..\..\Common\unique_resource.h" />
<ClInclude Include="exclusivity.h" />
<ClInclude Include="intrinsics.h" />
- <ClInclude Include="rootkit.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="util.h" />
<ClInclude Include="win8.h" />
@@ -33,9 +33,6 @@
<ClCompile Include="util.cpp">
<Filter>Source Files</Filter>
</ClCompile>
- <ClCompile Include="rootkit.cpp">
- <Filter>Source Files</Filter>
- </ClCompile>
<ClCompile Include="win8.cpp">
<Filter>Source Files</Filter>
</ClCompile>
@@ -56,9 +53,6 @@
<ClInclude Include="util.h">
<Filter>Header Files</Filter>
</ClInclude>
- <ClInclude Include="rootkit.h">
- <Filter>Header Files</Filter>
- </ClInclude>
<ClInclude Include="win8.h">
<Filter>Header Files</Filter>
</ClInclude>
Oops, something went wrong.

0 comments on commit 2843373

Please sign in to comment.