Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 8bcb3bb

Browse files
driver code so far
1 parent 6d7d87e commit 8bcb3bb

29 files changed

+2510
-0
lines changed

‎CMakeLists.txt‎

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
cmake_minimum_required(VERSION 3.23.0)
2+
project(kptnhook VERSION 0.1.0)
3+
4+
#include(CTest)
5+
#enable_testing()
6+
7+
list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/deps/findwdk/cmake")
8+
find_package(WDK REQUIRED)
9+
10+
set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/shellcode32.asm)
11+
set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/shellcode64.asm)
12+
set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/structs.asm)
13+
14+
exec_program(powershell "${CMAKE_CURRENT_LIST_DIR}"
15+
ARGS -ExecutionPolicy Bypass -File ${CMAKE_CURRENT_LIST_DIR}\\compile-shellcode.ps1 ${CMAKE_CURRENT_LIST_DIR}\\src\\shellcode\\shellcode32.asm
16+
OUTPUT_VARIABLE SHELLCODE_BYTES32)
17+
18+
message("compiled 32bit shellcode: ${SHELLCODE_BYTES32}")
19+
20+
exec_program(powershell "${CMAKE_CURRENT_LIST_DIR}"
21+
ARGS -ExecutionPolicy Bypass -File ${CMAKE_CURRENT_LIST_DIR}\\compile-shellcode.ps1 ${CMAKE_CURRENT_LIST_DIR}\\src\\shellcode\\shellcode64.asm
22+
OUTPUT_VARIABLE SHELLCODE_BYTES64)
23+
24+
message("compiled 64bit shellcode: ${SHELLCODE_BYTES64}")
25+
26+
wdk_add_driver(kptnhook src/main.cpp)
27+
28+
target_compile_definitions(kptnhook PUBLIC ARR_SHELLCODE32=${SHELLCODE_BYTES32})
29+
target_compile_definitions(kptnhook PUBLIC ARR_SHELLCODE64=${SHELLCODE_BYTES64})
30+
add_custom_command(TARGET kptnhook POST_BUILD
31+
COMMAND ${WDK_ROOT}/bin/${WDK_VERSION}/x64/signtool.exe sign /v /n kptnhook $<TARGET_FILE:kptnhook>
32+
WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
33+
COMMENT "signing kernel driver"
34+
)
35+
36+
add_subdirectory(src)
37+
add_subdirectory(include/kptnhook)
38+
#add_subdirectory(deps)
39+
40+
set(CPACK_PROJECT_NAME ${PROJECT_NAME})
41+
set(CPACK_PROJECT_VERSION ${PROJECT_VERSION})
42+
include(CPack)
43+
44+
message(${WDK_ROOT}/bin/${WDK_VERSION}/x64/signtool.exe )

‎compile-shellcode.ps1‎

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
<#
2+
compiles an asm file into a c-style byte array
3+
#>
4+
param (
5+
# path to asm file
6+
[parameter(mandatory=$true)]
7+
[string]$path
8+
)
9+
10+
$nasm = "$env:LOCALAPPDATA\bin\NASM\nasm.exe"
11+
12+
if (-not (test-path $nasm)) {
13+
write-error "nasm.exe not found in appdata. install nasm for local user to continue."
14+
exit 1
15+
}
16+
17+
$tempfile = "$env:TEMP\shellcode.bin"
18+
& $nasm $path -f bin -o $tempfile
19+
'{ ' + ((format-hex $tempfile | select -expand bytes | % { '0x{0:x2}' -f $_ }) -join ', ') + ' }'

‎create_cert.ps1‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
New-SelfSignedCertificate -Subject "kptnhook" -Type CodeSigningCert -CertStoreLocation cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(99)

‎deps/CMakeLists.txt‎

Whitespace-only changes.

‎include/kptnhook/CMakeLists.txt‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
target_include_directories(kptnhook PUBLIC ${CMAKE_CURRENT_SOURCE_DIR})

‎include/kptnhook/arch.h‎

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#pragma once
2+
#include <ntifs.h>
3+
4+
enum bit { x64, x32 };
5+
enum compat { native, wow };
6+
struct arch {
7+
bit b;
8+
compat com;
9+
};
10+
11+
/// figure out the architecture of a peprocess
12+
arch proc_arch(PEPROCESS p);

‎include/kptnhook/drvglobal.h‎

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
#pragma once
2+
3+
#include <ntifs.h>
4+
5+
struct driverctx {
6+
PDRIVER_OBJECT obj;
7+
PUNICODE_STRING registry_path;
8+
};
9+
10+
extern driverctx GLOBAL;

‎include/kptnhook/handler.h‎

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
#pragma once
2+
#include <ntifs.h>
3+
4+
constexpr UNICODE_STRING KNOWN_DLLS[] = {
5+
RTL_CONSTANT_STRING(L"gi_agent.dll")
6+
};
7+
8+
void on_image_load(PUNICODE_STRING img_name, HANDLE proc, PIMAGE_INFO info);
9+
void on_create_proc(HANDLE parent_pid, HANDLE pid, BOOLEAN create);

‎include/kptnhook/hook.h‎

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#pragma once
2+
#include <ntifs.h>
3+
4+
constexpr UINT8 stub64[] = { 0xff, 0x25, 0x00, 0x00, 0x00, 0x00 };
5+
constexpr auto STUB_SIZE64 = sizeof(stub64) + sizeof(UINT64);
6+
7+
constexpr UINT8 stub32[] = { 0xe9 };
8+
constexpr auto STUB_SIZE32 = sizeof(stub32) + sizeof(UINT32);
9+
10+
#ifdef ARR_SHELLCODE32
11+
#else
12+
#define ARR_SHELLCODE32 { 0 }
13+
#error shellcode not defined, use the cmake build as it defined this
14+
#endif
15+
16+
#ifdef ARR_SHELLCODE64
17+
#else
18+
#define ARR_SHELLCODE64 { 0 }
19+
#error shellcode not defined, use the cmake build as it defined this
20+
#endif
21+
22+
void hook64(void* func, void* target);
23+
void hook32(void* func, void* target);

‎include/kptnhook/known_dlls.h‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
#pragma once
2+
#include <ntifs.h>
3+
#include <arch.h>
4+
5+
NTSTATUS remove_known_dll(const UNICODE_STRING* filename, bool native_arch);
6+
NTSTATUS add_known_dll(const UNICODE_STRING* filename, arch a);

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /