-
Notifications
You must be signed in to change notification settings - Fork 74
/
Copy pathr0akwr.c
147 lines (125 loc) · 2.98 KB
/
r0akwr.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
/*++
Copyright (c) Alex Ionescu. All rights reserved.
Module Name:
r0akwr.c
Abstract:
This module implements write capabilities for r0ak
Author:
Alex Ionescu (@aionescu) 21-Jul-2018 - First public version
Environment:
User mode only.
--*/
#include "r0ak.h"
typedef enum _XM_OPERATION_DATATYPE
{
BYTE_DATA = 0,
WORD_DATA = 1,
LONG_DATA = 3
} XM_OPERATION_DATATYPE;
typedef struct _XM_CONTEXT
{
UCHAR Reserved[0x58];
PVOID DestinationPointer;
PVOID SourcePointer;
ULONG DestinationValue;
ULONG SourceValue;
ULONG CurrentOpcode;
ULONG DataSegment;
ULONG DataType;
} XM_CONTEXT, *PXM_CONTEXT;
_Success_(return != 0)
BOOL
CmdWriteKernel (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID KernelAddress,
_In_ ULONG KernelValue
)
{
PKERNEL_ALLOC kernelAlloc;
PXM_CONTEXT xmContext;
BOOL b;
PETW_DATA etwData;
//
// Trace operation
//
printf("[+] Writing 0x%.8lX to 0x%.16p\n",
KernelValue, KernelAddress);
//
// Allocate an XM_CONTEXT to drive the HAL x64 emulator
//
kernelAlloc = NULL;
xmContext = KernelAlloc(&kernelAlloc, sizeof(*xmContext));
if (xmContext == NULL)
{
printf("[-] Failed to allocate memory for XM_CONTEXT\n");
return FALSE;
}
//
// Fill it out
//
xmContext->SourceValue = KernelValue;
xmContext->DataType = LONG_DATA;
xmContext->DestinationPointer = KernelAddress;
//
// Make a kernel copy of it
//
xmContext = KernelWrite(kernelAlloc);
if (xmContext == NULL)
{
printf("[-] Failed to find kernel memory for XM_CONTEXT\n");
KernelFree(kernelAlloc);
return FALSE;
}
//
// Setup the work item
//
b = KernelExecuteSetCallback(KernelExecute,
g_XmFunction,
xmContext->Reserved);
if (b == FALSE)
{
printf("[-] Failed to initialize work item!\n");
KernelFree(kernelAlloc);
return b;
}
//
// Begin ETW tracing to look for the work item executing
//
etwData = NULL;
b = EtwStartSession(&etwData, g_XmFunction);
if (b == FALSE)
{
printf("[-] Failed to start ETW trace\n");
KernelFree(kernelAlloc);
return b;
}
//
// Run it!
//
b = KernelExecuteRun(KernelExecute);
if (b == FALSE)
{
printf("[-] Failed to execute kernel function!\n");
}
else
{
//
// Wait for execution to finish
//
b = EtwParseSession(etwData);
if (b == FALSE)
{
//
// We have no idea if execution finished -- block forever
//
printf("[-] Failed to parse ETW trace\n");
Sleep(INFINITE);
return b;
}
}
//
// Free the allocation since this path either failed or completed execution
//
KernelFree(kernelAlloc);
return b;
}