Exposed custom allocator callback
This commit is contained in:
parent
3727b600ce
commit
a6b7b455ec
@ -64,16 +64,19 @@ typedef PVOID(NTAPI* t_RtlImageDirectoryEntryToData)(
|
|||||||
|
|
||||||
typedef
|
typedef
|
||||||
_IRQL_requires_same_
|
_IRQL_requires_same_
|
||||||
_Function_class_(DOMITO_ALLOCATE_ROUTINE)
|
_Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE)
|
||||||
__drv_allocatesMem(Mem)
|
__drv_allocatesMem(Mem)
|
||||||
PVOID
|
PVOID
|
||||||
NTAPI
|
NTAPI
|
||||||
DOMITO_ALLOCATE_ROUTINE(
|
EVT_DOMITO_ALLOCATE_ROUTINE(
|
||||||
_In_ SIZE_T ByteSize
|
_In_ SIZE_T ByteSize
|
||||||
);
|
);
|
||||||
typedef DOMITO_ALLOCATE_ROUTINE* PDOMITO_ALLOCATE_ROUTINE;
|
typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE;
|
||||||
|
|
||||||
|
|
||||||
|
//
|
||||||
|
// Finds the base address of a driver module
|
||||||
|
//
|
||||||
_Success_(return == STATUS_SUCCESS)
|
_Success_(return == STATUS_SUCCESS)
|
||||||
_Must_inspect_result_
|
_Must_inspect_result_
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
@ -81,9 +84,13 @@ EXTERN_C
|
|||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoFindDriverBaseAddress(
|
DomitoFindDriverBaseAddress(
|
||||||
_In_ STRING ModuleName,
|
_In_ STRING ModuleName,
|
||||||
|
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
|
||||||
_Inout_opt_ PVOID * ModuleBase
|
_Inout_opt_ PVOID * ModuleBase
|
||||||
);
|
);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Finds the address of an exported function by name
|
||||||
|
//
|
||||||
_Success_(return == STATUS_SUCCESS)
|
_Success_(return == STATUS_SUCCESS)
|
||||||
_Must_inspect_result_
|
_Must_inspect_result_
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
|
|||||||
210
src/Domito.cpp
210
src/Domito.cpp
@ -4,87 +4,83 @@
|
|||||||
#include "Domito.h"
|
#include "Domito.h"
|
||||||
|
|
||||||
|
|
||||||
//
|
|
||||||
// Finds the base address of a driver module
|
|
||||||
//
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
_Success_(return == STATUS_SUCCESS)
|
||||||
_Must_inspect_result_
|
_Must_inspect_result_
|
||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoFindDriverBaseAddress(
|
DomitoFindDriverBaseAddress(
|
||||||
_In_ STRING ModuleName,
|
_In_ STRING ModuleName,
|
||||||
_Inout_opt_ PVOID* ModuleBase
|
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
|
||||||
|
_Inout_opt_ PVOID * ModuleBase
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
ULONG bufferSize = 0;
|
ULONG bufferSize = 0;
|
||||||
PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
|
PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
|
||||||
|
|
||||||
const ULONG SystemModuleInformation = 11;
|
const ULONG SystemModuleInformation = 11;
|
||||||
|
|
||||||
// Query the required buffer size for module information
|
// Query the required buffer size for module information
|
||||||
NTSTATUS status = ZwQuerySystemInformation(
|
NTSTATUS status = ZwQuerySystemInformation(
|
||||||
SystemModuleInformation,
|
SystemModuleInformation,
|
||||||
&bufferSize,
|
&bufferSize,
|
||||||
0,
|
0,
|
||||||
&bufferSize
|
&bufferSize
|
||||||
);
|
);
|
||||||
|
|
||||||
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
if (status != STATUS_INFO_LENGTH_MISMATCH)
|
||||||
{
|
{
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
#pragma warning(disable:4996)
|
#pragma warning(disable:4996)
|
||||||
// Allocate memory for the module information
|
// Allocate memory for the module information
|
||||||
moduleInfo = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(
|
moduleInfo = (PSYSTEM_MODULE_INFORMATION)Allocator(
|
||||||
NonPagedPool,
|
bufferSize
|
||||||
bufferSize,
|
);
|
||||||
'looP'
|
|
||||||
);
|
|
||||||
#pragma warning(default:4996)
|
#pragma warning(default:4996)
|
||||||
|
|
||||||
if (moduleInfo == NULL)
|
if (moduleInfo == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Retrieve the module information
|
// Retrieve the module information
|
||||||
status = ZwQuerySystemInformation(
|
status = ZwQuerySystemInformation(
|
||||||
SystemModuleInformation,
|
SystemModuleInformation,
|
||||||
moduleInfo,
|
moduleInfo,
|
||||||
bufferSize,
|
bufferSize,
|
||||||
NULL
|
NULL
|
||||||
);
|
);
|
||||||
|
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
ExFreePool(moduleInfo);
|
ExFreePool(moduleInfo);
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
STRING currentImageName;
|
STRING currentImageName;
|
||||||
|
|
||||||
status = STATUS_NOT_FOUND;
|
status = STATUS_NOT_FOUND;
|
||||||
// Iterate through the loaded modules and find the desired module
|
// Iterate through the loaded modules and find the desired module
|
||||||
for (ULONG i = 0; i < moduleInfo->Count; i++)
|
for (ULONG i = 0; i < moduleInfo->Count; i++)
|
||||||
{
|
{
|
||||||
RtlInitAnsiString(¤tImageName, moduleInfo->Module[i].ImageName);
|
RtlInitAnsiString(¤tImageName, moduleInfo->Module[i].ImageName);
|
||||||
|
|
||||||
if (0 == RtlCompareString(&ModuleName, ¤tImageName, TRUE))
|
if (0 == RtlCompareString(&ModuleName, ¤tImageName, TRUE))
|
||||||
{
|
{
|
||||||
// Found the module, store the base address
|
// Found the module, store the base address
|
||||||
if (ModuleBase)
|
if (ModuleBase)
|
||||||
{
|
{
|
||||||
status = STATUS_SUCCESS;
|
status = STATUS_SUCCESS;
|
||||||
*ModuleBase = moduleInfo->Module[i].Base;
|
*ModuleBase = moduleInfo->Module[i].Base;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ExFreePool(moduleInfo);
|
ExFreePool(moduleInfo);
|
||||||
|
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
_Success_(return == STATUS_SUCCESS)
|
_Success_(return == STATUS_SUCCESS)
|
||||||
@ -92,64 +88,64 @@ _Must_inspect_result_
|
|||||||
_IRQL_requires_max_(PASSIVE_LEVEL)
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
DomitoFindExportedFunctionAddress(
|
DomitoFindExportedFunctionAddress(
|
||||||
_In_ PVOID ModuleBase,
|
_In_ PVOID ModuleBase,
|
||||||
_In_ STRING FunctionName,
|
_In_ STRING FunctionName,
|
||||||
_Inout_opt_ PVOID* FunctionAddress
|
_Inout_opt_ PVOID * FunctionAddress
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
NTSTATUS status = STATUS_NOT_FOUND;
|
NTSTATUS status = STATUS_NOT_FOUND;
|
||||||
ULONG exportSize;
|
ULONG exportSize;
|
||||||
|
|
||||||
DECLARE_CONST_UNICODE_STRING(routineName, L"RtlImageDirectoryEntryToData");
|
DECLARE_CONST_UNICODE_STRING(routineName, L"RtlImageDirectoryEntryToData");
|
||||||
|
|
||||||
const t_RtlImageDirectoryEntryToData fp_RtlImageDirectoryEntryToData =
|
const t_RtlImageDirectoryEntryToData fp_RtlImageDirectoryEntryToData =
|
||||||
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&routineName);
|
(t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&routineName);
|
||||||
|
|
||||||
if (fp_RtlImageDirectoryEntryToData == NULL)
|
if (fp_RtlImageDirectoryEntryToData == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_NOT_IMPLEMENTED;
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Retrieve the export directory information
|
// Retrieve the export directory information
|
||||||
const PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)fp_RtlImageDirectoryEntryToData(
|
const PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)fp_RtlImageDirectoryEntryToData(
|
||||||
ModuleBase,
|
ModuleBase,
|
||||||
TRUE,
|
TRUE,
|
||||||
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
||||||
&exportSize
|
&exportSize
|
||||||
);
|
);
|
||||||
|
|
||||||
if (exportDirectory == NULL)
|
if (exportDirectory == NULL)
|
||||||
{
|
{
|
||||||
return STATUS_INVALID_IMAGE_FORMAT;
|
return STATUS_INVALID_IMAGE_FORMAT;
|
||||||
}
|
}
|
||||||
|
|
||||||
STRING currentFunctionName;
|
STRING currentFunctionName;
|
||||||
|
|
||||||
const PULONG functionAddresses = (PULONG)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfFunctions);
|
|
||||||
const PULONG functionNames = (PULONG)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfNames);
|
|
||||||
const PUSHORT functionOrdinals = (PUSHORT)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfNameOrdinals);
|
|
||||||
|
|
||||||
for (ULONG i = 0; i < exportDirectory->NumberOfNames; i++)
|
const PULONG functionAddresses = (PULONG)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfFunctions);
|
||||||
{
|
const PULONG functionNames = (PULONG)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfNames);
|
||||||
const char* functionName = (const char*)((ULONG_PTR)ModuleBase + functionNames[i]);
|
const PUSHORT functionOrdinals = (PUSHORT)((ULONG_PTR)ModuleBase + exportDirectory->AddressOfNameOrdinals);
|
||||||
const USHORT functionOrdinal = functionOrdinals[i];
|
|
||||||
UNREFERENCED_PARAMETER(functionOrdinal);
|
|
||||||
|
|
||||||
const ULONG functionRva = functionAddresses[i];
|
for (ULONG i = 0; i < exportDirectory->NumberOfNames; i++)
|
||||||
const PVOID functionAddress = (PVOID)((ULONG_PTR)ModuleBase + functionRva);
|
{
|
||||||
|
const char* functionName = (const char*)((ULONG_PTR)ModuleBase + functionNames[i]);
|
||||||
|
const USHORT functionOrdinal = functionOrdinals[i];
|
||||||
|
UNREFERENCED_PARAMETER(functionOrdinal);
|
||||||
|
|
||||||
RtlInitAnsiString(¤tFunctionName, functionName);
|
const ULONG functionRva = functionAddresses[i];
|
||||||
|
const PVOID functionAddress = (PVOID)((ULONG_PTR)ModuleBase + functionRva);
|
||||||
|
|
||||||
if (0 == RtlCompareString(&FunctionName, ¤tFunctionName, TRUE))
|
RtlInitAnsiString(¤tFunctionName, functionName);
|
||||||
{
|
|
||||||
if (FunctionAddress)
|
|
||||||
{
|
|
||||||
status = STATUS_SUCCESS;
|
|
||||||
*FunctionAddress = functionAddress;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return status;
|
if (0 == RtlCompareString(&FunctionName, ¤tFunctionName, TRUE))
|
||||||
|
{
|
||||||
|
if (FunctionAddress)
|
||||||
|
{
|
||||||
|
status = STATUS_SUCCESS;
|
||||||
|
*FunctionAddress = functionAddress;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return status;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user