示例#1
0
        public static Boolean UnLoadDriver(String ServiceName)
        {
            if (!Wrapper.IsMsIoLoaded())
            {
                Console.WriteLine("[+] MsIo driver is not currently loaded..");
            }
            else
            {
                APIDef.UNICODE_STRING uDriverServiceName = new APIDef.UNICODE_STRING();
                APIDef.RtlInitUnicodeString(ref uDriverServiceName, @"\Registry\Machine\System\CurrentControlSet\Services\" + ServiceName);
                UInt32 CallRes = APIDef.NtUnloadDriver(ref uDriverServiceName);
                if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
                {
                    Console.WriteLine("[!] Failed to unload driver..");
                    return(false);
                }
                else
                {
                    Console.WriteLine("[+] NtUnloadDriver -> Success");
                }
            }

            try
            {
                // Delete driver from disk
                RegistryKey hServiceKey    = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
                String      DriverFilePath = (String)hServiceKey.GetValue("ImagePath");

                try
                {
                    DriverFilePath = DriverFilePath.Trim(@"\??\".ToCharArray());
                    File.SetAttributes(DriverFilePath, FileAttributes.Normal);
                    File.Delete(DriverFilePath);
                    Console.WriteLine("[+] Driver deleted from disk");
                }
                catch
                {
                    Console.WriteLine("[!] Failed to delete driver from disk..");
                    return(false);
                }

                try
                {
                    Registry.LocalMachine.DeleteSubKeyTree(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
                    Console.WriteLine("[+] Driver service artifacts deleted");
                }
                catch
                {
                    Console.WriteLine("[!] Failed to delete registry key..");
                    return(false);
                }
            }
            catch
            {
                Console.WriteLine("[+] Driver service registry entry not found..");
            }

            return(true);
        }
示例#2
0
        // Check if Directory object contains driver service name
        public static Boolean DirectoryObjectContainsDevice(String DriverServiceName)
        {
            APIDef.UNICODE_STRING ObjectName = new APIDef.UNICODE_STRING();
            APIDef.RtlInitUnicodeString(ref ObjectName, ("\\Driver"));
            IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));

            Marshal.StructureToPtr(ObjectName, pObjectName, true);

            APIDef.OBJECT_ATTRIBUTES oa = new APIDef.OBJECT_ATTRIBUTES();
            oa.Length                   = Marshal.SizeOf(oa);
            oa.RootDirectory            = IntPtr.Zero;
            oa.Attributes               = 0x40; // OBJ_CASE_INSENSITIVE
            oa.ObjectName               = pObjectName;
            oa.SecurityDescriptor       = IntPtr.Zero;
            oa.SecurityQualityOfService = IntPtr.Zero;

            IntPtr hDirectory = IntPtr.Zero;
            UInt32 CallRes    = APIDef.NtOpenDirectoryObject(ref hDirectory, 0x1, ref oa);

            if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
            {
                Console.WriteLine("[!] Failed to open DirectoryObject..");
                return(false);
            }

            // Find the correct allocation size
            UInt32 ctx = 0;

            while (true)
            {
                UInt32 RetLen = 0;
                CallRes = APIDef.NtQueryDirectoryObject(hDirectory, IntPtr.Zero, 0, true, false, ref ctx, ref RetLen);
                if (CallRes != APIDef.NTSTATUS_STATUS_BUFFER_TOO_SMALL)
                {
                    return(false);
                }

                IntPtr AllocPtr = Marshal.AllocHGlobal((Int32)RetLen);
                CallRes = APIDef.NtQueryDirectoryObject(hDirectory, AllocPtr, RetLen, true, false, ref ctx, ref RetLen);
                if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
                {
                    Marshal.FreeHGlobal(AllocPtr);
                    return(false);
                }

                APIDef.OBJECT_DIRECTORY_INFORMATION odi = new APIDef.OBJECT_DIRECTORY_INFORMATION();
                odi = (APIDef.OBJECT_DIRECTORY_INFORMATION)Marshal.PtrToStructure(AllocPtr, typeof(APIDef.OBJECT_DIRECTORY_INFORMATION));
                Marshal.FreeHGlobal(AllocPtr);
                if (Marshal.PtrToStringUni(odi.Name.Buffer) == DriverServiceName)
                {
                    return(true);
                }
            }
        }
示例#3
0
        public static Boolean LoadDriver(String DriverPath, String ServiceName)
        {
            APIDef.UNICODE_STRING dus = new APIDef.UNICODE_STRING();
            Boolean bCallRes          = APIDef.RtlDosPathNameToRelativeNtPathName_U(DriverPath, ref dus, IntPtr.Zero, IntPtr.Zero);

            if (!bCallRes)
            {
                Console.WriteLine("[!] Failed to get Nt path from DOS path..");
                return(false);
            }
            else
            {
                Console.WriteLine("[>] Driver Nt path: " + Marshal.PtrToStringUni(dus.Buffer, (dus.Length / 2)));
            }

            try
            {
                RegistryKey hServiceKey = Registry.LocalMachine.CreateSubKey(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
                try
                {
                    Console.WriteLine("[>] Driver registration: " + hServiceKey.Name);
                    hServiceKey.SetValue("ErrorControl", APIDef.SERVICE_ERROR_NORMAL, RegistryValueKind.DWord);
                    hServiceKey.SetValue("Type", APIDef.SERVICE_KERNEL_DRIVER, RegistryValueKind.DWord);
                    hServiceKey.SetValue("Start", APIDef.SERVICE_DEMAND_START, RegistryValueKind.DWord);
                    hServiceKey.SetValue("ImagePath", Marshal.PtrToStringUni(dus.Buffer, (dus.Length / 2)), RegistryValueKind.ExpandString);
                }
                catch
                {
                    Console.WriteLine("[!] Failed to create registry value entry..");
                    return(false);
                }
            }
            catch
            {
                Console.WriteLine("[!] Failed to create registry key..");
                return(false);
            }

            // Load driver
            APIDef.UNICODE_STRING uDriverServiceName = new APIDef.UNICODE_STRING();
            APIDef.RtlInitUnicodeString(ref uDriverServiceName, @"\Registry\Machine\System\CurrentControlSet\Services\" + ServiceName);
            UInt32 CallRes = APIDef.NtLoadDriver(ref uDriverServiceName);

            if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
            {
                Console.WriteLine("[!] Failed to load driver..");
                return(false);
            }

            Console.WriteLine("[?] NtLoadDriver -> Success");
            return(true);
        }
示例#4
0
        public static IntPtr GetDriverHandle()
        {
            if (!Wrapper.IsMsIoLoaded())
            {
                Console.WriteLine("[!] MsIo driver is not currently loaded..");
                return(IntPtr.Zero);
            }

            APIDef.UNICODE_STRING ObjectName = new APIDef.UNICODE_STRING();
            APIDef.RtlInitUnicodeString(ref ObjectName, ("\\DosDevices\\MsIo"));
            IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));

            Marshal.StructureToPtr(ObjectName, pObjectName, true);

            APIDef.OBJECT_ATTRIBUTES objectAttributes = new APIDef.OBJECT_ATTRIBUTES();
            objectAttributes.Length     = Marshal.SizeOf(objectAttributes);
            objectAttributes.ObjectName = pObjectName;
            objectAttributes.Attributes = 0x40;             // OBJ_CASE_INSENSITIVE

            APIDef.IO_STATUS_BLOCK ioStatusBlock = new APIDef.IO_STATUS_BLOCK();

            IntPtr hDriver = IntPtr.Zero;

            UInt32 CallRes = APIDef.NtCreateFile(ref hDriver, (UInt32)(APIDef.FileAccessFlags.WRITE_DAC | APIDef.FileAccessFlags.FILE_GENERIC_READ | APIDef.FileAccessFlags.FILE_GENERIC_WRITE), ref objectAttributes, ref ioStatusBlock, IntPtr.Zero, 0, 0, 0x1, 0, IntPtr.Zero, 0);

            if (CallRes == APIDef.NTSTATUS_STATUS_ACCESS_DENIED)
            {
                Console.WriteLine("[!] STATUS_ACCESS_DENIED : You must run VirtToPhys as Administrator..");
                return(IntPtr.Zero);
            }
            else
            {
                if (CallRes == APIDef.NTSTATUS_STATUS_SUCCESS)
                {
                    return(hDriver);
                }
                else
                {
                    Console.WriteLine("[!] Failed to get device handle : " + string.Format("{0:X}", CallRes));
                    return(IntPtr.Zero);
                }
            }
        }