Converted ZwQuerySystemInformation to dynamic call
This commit is contained in:
parent
22a09441ab
commit
302d8e2f72
@ -1,15 +1,15 @@
|
|||||||
/* ___ _ _ _
|
/* ___ _ _ _
|
||||||
* |_ _|_ _| |_ ___ _ _ _ _ __ _| | | |_ _ _ _ __ ___ ___
|
* |_ _|_ _| |_ ___ _ _ _ _ __ _| | | |_ _ _ _ __ ___ ___
|
||||||
* | || ' \ _/ -_) '_| ' \/ _` | | | _| || | '_ \/ -_|_-<
|
* | || ' \ _/ -_) '_| ' \/ _` | | | _| || | '_ \/ -_|_-<
|
||||||
* |___|_||_\__\___|_| |_||_\__,_|_| \__|\_, | .__/\___/__/
|
* |___|_||_\__\___|_| |_||_\__,_|_| \__|\_, | .__/\___/__/
|
||||||
* |__/|_|
|
* |__/|_|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#pragma once
|
#pragma once
|
||||||
|
|
||||||
//
|
//
|
||||||
// SDK/WDK
|
// SDK/WDK
|
||||||
//
|
//
|
||||||
#include <ntifs.h>
|
#include <ntifs.h>
|
||||||
#include <ntintsafe.h>
|
#include <ntintsafe.h>
|
||||||
#include <ntimage.h>
|
#include <ntimage.h>
|
||||||
@ -21,11 +21,11 @@
|
|||||||
#include "Domito.h"
|
#include "Domito.h"
|
||||||
|
|
||||||
|
|
||||||
/* _ _ _ ___ _ _ _
|
/* _ _ _ ___ _ _ _
|
||||||
* | \| | |_| \| | | ___| |_ __
|
* | \| | |_| \| | | ___| |_ __
|
||||||
* | .` | _| |) | | | / -_) _/ _|_
|
* | .` | _| |) | | | / -_) _/ _|_
|
||||||
* |_|\_|\__|___/|_|_| \___|\__\__(_)
|
* |_|\_|\__|___/|_|_| \___|\__\__(_)
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// Structure representing a loaded module
|
// Structure representing a loaded module
|
||||||
@ -50,14 +50,6 @@ typedef struct _SYSTEM_MODULE_INFORMATION
|
|||||||
SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
|
SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
|
||||||
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
|
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
|
||||||
|
|
||||||
// Function prototype for ZwQuerySystemInformation
|
|
||||||
EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
|
|
||||||
_In_ ULONG SystemInformationClass,
|
|
||||||
_Inout_ PVOID SystemInformation,
|
|
||||||
_In_ ULONG SystemInformationLength,
|
|
||||||
_Out_opt_ PULONG ReturnLength
|
|
||||||
);
|
|
||||||
|
|
||||||
typedef struct _LDR_DATA_TABLE_ENTRY
|
typedef struct _LDR_DATA_TABLE_ENTRY
|
||||||
{
|
{
|
||||||
LIST_ENTRY64 InLoadOrderLinks;
|
LIST_ENTRY64 InLoadOrderLinks;
|
||||||
@ -97,6 +89,13 @@ typedef NTSTATUS(NTAPI* t_ZwQueryInformationProcess) (
|
|||||||
__out_opt PULONG ReturnLength
|
__out_opt PULONG ReturnLength
|
||||||
);
|
);
|
||||||
|
|
||||||
|
typedef NTSTATUS(NTAPI* t_ZwQuerySystemInformation)(
|
||||||
|
_In_ ULONG SystemInformationClass,
|
||||||
|
_Inout_ PVOID SystemInformation,
|
||||||
|
_In_ ULONG SystemInformationLength,
|
||||||
|
_Out_opt_ PULONG ReturnLength
|
||||||
|
);
|
||||||
|
|
||||||
/* ___
|
/* ___
|
||||||
* / __|___ _ __ _ __ ___ _ _
|
* / __|___ _ __ _ __ ___ _ _
|
||||||
* | (__/ _ \ ' \| ' \/ _ \ ' \
|
* | (__/ _ \ ' \| ' \/ _ \ ' \
|
||||||
@ -109,22 +108,24 @@ typedef struct
|
|||||||
t_RtlImageDirectoryEntryToData RtlImageDirectoryEntryToData;
|
t_RtlImageDirectoryEntryToData RtlImageDirectoryEntryToData;
|
||||||
|
|
||||||
t_ZwQueryInformationProcess ZwQueryInformationProcess;
|
t_ZwQueryInformationProcess ZwQueryInformationProcess;
|
||||||
|
|
||||||
|
t_ZwQuerySystemInformation ZwQuerySystemInformation;
|
||||||
|
|
||||||
} DOMITO_COMMON;
|
} DOMITO_COMMON;
|
||||||
|
|
||||||
extern DOMITO_COMMON G_Common;
|
extern DOMITO_COMMON G_Common;
|
||||||
|
|
||||||
|
|
||||||
/* __ __ __ __ _
|
/* __ __ __ __ _
|
||||||
* | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
|
* | \/ |___ _ __ ___ _ _ _ _ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_
|
||||||
* | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
|
* | |\/| / -_) ' \/ _ \ '_| || | | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|
|
||||||
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
|
* |_| |_\___|_|_|_\___/_| \_, | |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__|
|
||||||
* |__/ |___/
|
* |__/ |___/
|
||||||
*/
|
*/
|
||||||
|
|
||||||
//
|
//
|
||||||
// Default pool tag
|
// Default pool tag
|
||||||
//
|
//
|
||||||
#define DOMITO_POOL_TAG 'imoD'
|
#define DOMITO_POOL_TAG 'imoD'
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|||||||
@ -12,6 +12,7 @@ DOMITO_COMMON G_Common = {};
|
|||||||
|
|
||||||
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
|
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
|
||||||
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
|
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
|
||||||
|
DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QsiRoutineName, L"ZwQuerySystemInformation");
|
||||||
|
|
||||||
#ifndef LOG
|
#ifndef LOG
|
||||||
#define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__)
|
#define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__)
|
||||||
@ -32,6 +33,8 @@ DomitoInit()
|
|||||||
(t_ZwQueryInformationProcess)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QipRoutineName);
|
(t_ZwQueryInformationProcess)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QipRoutineName);
|
||||||
G_Common.RtlImageDirectoryEntryToData =
|
G_Common.RtlImageDirectoryEntryToData =
|
||||||
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
|
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
|
||||||
|
G_Common.ZwQuerySystemInformation =
|
||||||
|
(t_ZwQuerySystemInformation)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QsiRoutineName);
|
||||||
|
|
||||||
return STATUS_SUCCESS; // TODO: unused currently
|
return STATUS_SUCCESS; // TODO: unused currently
|
||||||
}
|
}
|
||||||
@ -56,10 +59,15 @@ DomitoFindModuleBaseAddress(
|
|||||||
ULONG bufferSize = 0;
|
ULONG bufferSize = 0;
|
||||||
PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
|
PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
|
||||||
|
|
||||||
|
if (!G_Common.ZwQuerySystemInformation)
|
||||||
|
{
|
||||||
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
|
}
|
||||||
|
|
||||||
const ULONG SystemModuleInformation = 11;
|
const ULONG SystemModuleInformation = 11;
|
||||||
|
|
||||||
// Query the required buffer size for module information
|
// Query the required buffer size for module information
|
||||||
NTSTATUS status = ZwQuerySystemInformation(
|
NTSTATUS status = G_Common.ZwQuerySystemInformation(
|
||||||
SystemModuleInformation,
|
SystemModuleInformation,
|
||||||
&bufferSize,
|
&bufferSize,
|
||||||
0,
|
0,
|
||||||
@ -82,7 +90,7 @@ DomitoFindModuleBaseAddress(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Retrieve the module information
|
// Retrieve the module information
|
||||||
status = ZwQuerySystemInformation(
|
status = G_Common.ZwQuerySystemInformation(
|
||||||
SystemModuleInformation,
|
SystemModuleInformation,
|
||||||
moduleInfo,
|
moduleInfo,
|
||||||
bufferSize,
|
bufferSize,
|
||||||
@ -133,7 +141,7 @@ DomitoFindExportedFunctionAddress(
|
|||||||
{
|
{
|
||||||
NTSTATUS status = STATUS_NOT_FOUND;
|
NTSTATUS status = STATUS_NOT_FOUND;
|
||||||
ULONG exportSize;
|
ULONG exportSize;
|
||||||
|
|
||||||
if (G_Common.RtlImageDirectoryEntryToData == NULL)
|
if (G_Common.RtlImageDirectoryEntryToData == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user