FlyFar

driver_sourcecode

Jun 5th, 2023
189
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 17.07 KB | Cybersecurity | 0 0
  1. #include <ntifs.h>
  2. #include <ntddk.h>
  3.  
  4. typedef struct _SYSTEM_THREAD_INFORMATION
  5. {
  6.     LARGE_INTEGER KernelTime;
  7.     LARGE_INTEGER UserTime;
  8.     LARGE_INTEGER CreateTime;
  9.     ULONG WaitTime;
  10.     PVOID StartAddress;
  11.     CLIENT_ID ClientId;
  12.     KPRIORITY Priority;
  13.     LONG BasePriority;
  14.     ULONG ContextSwitches;
  15.     ULONG ThreadState;
  16.     KWAIT_REASON WaitReason;
  17. }SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREAD_INFORMATION;
  18.  
  19. typedef struct _SYSTEM_PROCESS_INFO
  20. {
  21.     ULONG NextEntryOffset;
  22.     ULONG NumberOfThreads;
  23.     LARGE_INTEGER WorkingSetPrivateSize;
  24.     ULONG HardFaultCount;
  25.     ULONG NumberOfThreadsHighWatermark;
  26.     ULONGLONG CycleTime;
  27.     LARGE_INTEGER CreateTime;
  28.     LARGE_INTEGER UserTime;
  29.     LARGE_INTEGER KernelTime;
  30.     UNICODE_STRING ImageName;
  31.     KPRIORITY BasePriority;
  32.     HANDLE UniqueProcessId;
  33.     HANDLE InheritedFromUniqueProcessId;
  34.     ULONG HandleCount;
  35.     ULONG SessionId;
  36.     ULONG_PTR UniqueProcessKey;
  37.     SIZE_T PeakVirtualSize;
  38.     SIZE_T VirtualSize;
  39.     ULONG PageFaultCount;
  40.     SIZE_T PeakWorkingSetSize;
  41.     SIZE_T WorkingSetSize;
  42.     SIZE_T QuotaPeakPagedPoolUsage;
  43.     SIZE_T QuotaPagedPoolUsage;
  44.     SIZE_T QuotaPeakNonPagedPoolUsage;
  45.     SIZE_T QuotaNonPagedPoolUsage;
  46.     SIZE_T PagefileUsage;
  47.     SIZE_T PeakPagefileUsage;
  48.     SIZE_T PrivatePageCount;
  49.     LARGE_INTEGER ReadOperationCount;
  50.     LARGE_INTEGER WriteOperationCount;
  51.     LARGE_INTEGER OtherOperationCount;
  52.     LARGE_INTEGER ReadTransferCount;
  53.     LARGE_INTEGER WriteTransferCount;
  54.     LARGE_INTEGER OtherTransferCount;
  55.     SYSTEM_THREAD_INFORMATION Threads[1];
  56. }SYSTEM_PROCESS_INFO,*PSYSTEM_PROCESS_INFO;
  57.  
  58. typedef struct _LDR_DATA_TABLE_ENTRY
  59. {
  60.      LIST_ENTRY InLoadOrderLinks;
  61.      LIST_ENTRY InMemoryOrderLinks;
  62.      LIST_ENTRY InInitializationOrderLinks;
  63.      PVOID DllBase;
  64.      PVOID EntryPoint;
  65.      ULONG SizeOfImage;
  66.      UNICODE_STRING FullDllName;
  67.      UNICODE_STRING BaseDllName;
  68.      ULONG Flags;
  69.      USHORT LoadCount;
  70.      USHORT TlsIndex;
  71.  
  72.      union
  73.      {
  74.           LIST_ENTRY HashLinks;
  75.  
  76.           struct
  77.           {
  78.                PVOID SectionPointer;
  79.                ULONG CheckSum;
  80.           };
  81.      };
  82.  
  83.      union
  84.      {
  85.           ULONG TimeDateStamp;
  86.           PVOID LoadedImports;
  87.      };
  88.  
  89.      struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
  90.      PVOID PatchInformation;
  91.      LIST_ENTRY ForwarderLinks;
  92.      LIST_ENTRY ServiceTagLinks;
  93.      LIST_ENTRY StaticLinks;
  94. }LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
  95.  
  96. typedef struct _IMAGE_DOS_HEADER
  97. {
  98.      USHORT e_magic;
  99.      USHORT e_cblp;
  100.      USHORT e_cp;
  101.      USHORT e_crlc;
  102.      USHORT e_cparhdr;
  103.      USHORT e_minalloc;
  104.      USHORT e_maxalloc;
  105.      USHORT e_ss;
  106.      USHORT e_sp;
  107.      USHORT e_csum;
  108.      USHORT e_ip;
  109.      USHORT e_cs;
  110.      USHORT e_lfarlc;
  111.      USHORT e_ovno;
  112.      USHORT e_res[4];
  113.      USHORT e_oemid;
  114.      USHORT e_oeminfo;
  115.      USHORT e_res2[10];
  116.      LONG e_lfanew;
  117. }IMAGE_DOS_HEADER,*PIMAGE_DOS_HEADER;
  118.  
  119. typedef struct _IMAGE_DATA_DIRECTORY
  120. {
  121.      ULONG VirtualAddress;
  122.      ULONG Size;
  123. }IMAGE_DATA_DIRECTORY,*PIMAGE_DATA_DIRECTORY;
  124.  
  125. typedef struct _IMAGE_FILE_HEADER
  126. {
  127.      USHORT Machine;
  128.      USHORT NumberOfSections;
  129.      ULONG TimeDateStamp;
  130.      ULONG PointerToSymbolTable;
  131.      ULONG NumberOfSymbols;
  132.      USHORT SizeOfOptionalHeader;
  133.      USHORT Characteristics;
  134. }IMAGE_FILE_HEADER,*PIMAGE_FILE_HEADER;
  135.  
  136. typedef struct _IMAGE_OPTIONAL_HEADER
  137. {
  138.      USHORT Magic;
  139.      UCHAR MajorLinkerVersion;
  140.      UCHAR MinorLinkerVersion;
  141.      ULONG SizeOfCode;
  142.      ULONG SizeOfInitializedData;
  143.      ULONG SizeOfUninitializedData;
  144.      ULONG AddressOfEntryPoint;
  145.      ULONG BaseOfCode;
  146.      ULONG BaseOfData;
  147.      ULONG ImageBase;
  148.      ULONG SectionAlignment;
  149.      ULONG FileAlignment;
  150.      USHORT MajorOperatingSystemVersion;
  151.      USHORT MinorOperatingSystemVersion;
  152.      USHORT MajorImageVersion;
  153.      USHORT MinorImageVersion;
  154.      USHORT MajorSubsystemVersion;
  155.      USHORT MinorSubsystemVersion;
  156.      ULONG Win32VersionValue;
  157.      ULONG SizeOfImage;
  158.      ULONG SizeOfHeaders;
  159.      ULONG CheckSum;
  160.      USHORT Subsystem;
  161.      USHORT DllCharacteristics;
  162.      ULONG SizeOfStackReserve;
  163.      ULONG SizeOfStackCommit;
  164.      ULONG SizeOfHeapReserve;
  165.      ULONG SizeOfHeapCommit;
  166.      ULONG LoaderFlags;
  167.      ULONG NumberOfRvaAndSizes;
  168.      IMAGE_DATA_DIRECTORY DataDirectory[16];
  169. }IMAGE_OPTIONAL_HEADER,*PIMAGE_OPTIONAL_HEADER;
  170.  
  171. typedef struct _IMAGE_NT_HEADERS
  172. {
  173.      ULONG Signature;
  174.      IMAGE_FILE_HEADER FileHeader;
  175.      IMAGE_OPTIONAL_HEADER OptionalHeader;
  176. }IMAGE_NT_HEADERS,*PIMAGE_NT_HEADERS;
  177.  
  178. typedef struct _IMAGE_EXPORT_DIRECTORY
  179. {
  180.     ULONG   Characteristics;
  181.     ULONG   TimeDateStamp;
  182.     USHORT  MajorVersion;
  183.     USHORT  MinorVersion;
  184.     ULONG   Name;
  185.     ULONG   Base;
  186.     ULONG   NumberOfFunctions;
  187.     ULONG   NumberOfNames;
  188.     ULONG   AddressOfFunctions;
  189.     ULONG   AddressOfNames;
  190.     ULONG   AddressOfNameOrdinals;
  191. }IMAGE_EXPORT_DIRECTORY,*PIMAGE_EXPORT_DIRECTORY;
  192.  
  193. #define IMAGE_DIRECTORY_ENTRY_EXPORT 0
  194.  
  195. extern "C" NTSTATUS ZwQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength);
  196. extern "C" LPSTR PsGetProcessImageFileName(PEPROCESS Process);
  197.  
  198. typedef NTSTATUS (*PLDR_LOAD_DLL)(PWSTR,PULONG,PUNICODE_STRING,PVOID*);
  199.  
  200. typedef struct _INJECT_INFO
  201. {
  202.     HANDLE ProcessId;
  203.     wchar_t DllName[1024];
  204. }INJECT_INFO,*PINJECT_INFO;
  205.  
  206. typedef struct _KINJECT
  207. {
  208.     UNICODE_STRING DllName;
  209.     wchar_t Buffer[1024];
  210.     PLDR_LOAD_DLL LdrLoadDll;
  211.     PVOID DllBase;
  212.     ULONG Executed;
  213. }KINJECT,*PKINJECT;
  214.  
  215. typedef enum _KAPC_ENVIRONMENT
  216. {
  217.     OriginalApcEnvironment,
  218.     AttachedApcEnvironment,
  219.     CurrentApcEnvironment,
  220.     InsertApcEnvironment
  221. }KAPC_ENVIRONMENT,*PKAPC_ENVIRONMENT;
  222.  
  223. typedef VOID (NTAPI *PKNORMAL_ROUTINE)(
  224.     PVOID NormalContext,
  225.     PVOID SystemArgument1,
  226.     PVOID SystemArgument2
  227.     );
  228.  
  229. typedef VOID KKERNEL_ROUTINE(
  230.     PRKAPC Apc,
  231.     PKNORMAL_ROUTINE *NormalRoutine,
  232.     PVOID *NormalContext,
  233.     PVOID *SystemArgument1,
  234.     PVOID *SystemArgument2
  235.     );
  236.  
  237. typedef KKERNEL_ROUTINE (NTAPI *PKKERNEL_ROUTINE);
  238.  
  239. typedef VOID (NTAPI *PKRUNDOWN_ROUTINE)(
  240.     PRKAPC Apc
  241.     );
  242.  
  243. extern "C" void KeInitializeApc(
  244.     PRKAPC Apc,
  245.     PRKTHREAD Thread,
  246.     KAPC_ENVIRONMENT Environment,
  247.     PKKERNEL_ROUTINE KernelRoutine,
  248.     PKRUNDOWN_ROUTINE RundownRoutine,
  249.     PKNORMAL_ROUTINE NormalRoutine,
  250.     KPROCESSOR_MODE ProcessorMode,
  251.     PVOID NormalContext
  252.     );
  253.  
  254. extern "C" BOOLEAN KeInsertQueueApc(
  255.     PRKAPC Apc,
  256.     PVOID SystemArgument1,
  257.     PVOID SystemArgument2,
  258.     KPRIORITY Increment
  259.     );
  260.  
  261. UNICODE_STRING DeviceName=RTL_CONSTANT_STRING(L"\\Device\\KeInject"),SymbolicLink=RTL_CONSTANT_STRING(L"\\DosDevices\\KeInject");
  262.  
  263. ULONG ApcStateOffset; // Offset to the ApcState structure
  264. PLDR_LOAD_DLL LdrLoadDll; // LdrLoadDll address
  265.  
  266. void Unload(PDRIVER_OBJECT pDriverObject)
  267. {
  268.     DbgPrint("DLL injection driver unloaded.");
  269.  
  270.     IoDeleteSymbolicLink(&SymbolicLink);
  271.     IoDeleteDevice(pDriverObject->DeviceObject);
  272. }
  273.  
  274. void NTAPI KernelRoutine(PKAPC apc,PKNORMAL_ROUTINE* NormalRoutine,PVOID* NormalContext,PVOID* SystemArgument1,PVOID* SystemArgument2)
  275. {
  276.     ExFreePool(apc);
  277. }
  278.  
  279. void NTAPI InjectDllApc(PVOID NormalContext,PVOID SystemArgument1,PVOID SystemArgument2)
  280. {
  281.     PKINJECT inject=(PKINJECT)NormalContext;
  282.  
  283.     inject->LdrLoadDll(NULL,NULL,&inject->DllName,&inject->DllBase);
  284.     inject->Executed=TRUE;
  285. }
  286.  
  287. BOOLEAN InjectDll(PINJECT_INFO InjectInfo)
  288. {
  289.     PEPROCESS Process;
  290.     PETHREAD Thread;
  291.  
  292.     PKINJECT mem;
  293.     ULONG size;
  294.  
  295.     PKAPC_STATE ApcState;
  296.     PKAPC apc;
  297.  
  298.     PVOID buffer;
  299.     PSYSTEM_PROCESS_INFO pSpi;
  300.  
  301.     LARGE_INTEGER delay;
  302.  
  303.     buffer=ExAllocatePool(NonPagedPool,1024*1024); // Allocate memory for the system information
  304.  
  305.     if(!buffer)
  306.     {
  307.         DbgPrint("Error: Unable to allocate memory for the process thread list.");
  308.         return FALSE;
  309.     }
  310.  
  311.     // Get the process thread list
  312.  
  313.     if(!NT_SUCCESS(ZwQuerySystemInformation(5,buffer,1024*1024,NULL)))
  314.     {
  315.         DbgPrint("Error: Unable to query process thread list.");
  316.          
  317.         ExFreePool(buffer);
  318.         return FALSE;
  319.     }
  320.  
  321.     pSpi=(PSYSTEM_PROCESS_INFO)buffer;
  322.  
  323.     // Find a target thread
  324.  
  325.     while(pSpi->NextEntryOffset)
  326.     {
  327.         if(pSpi->UniqueProcessId==InjectInfo->ProcessId)
  328.         {
  329.             DbgPrint("Target thread found. TID: %d",pSpi->Threads[0].ClientId.UniqueThread);
  330.             break;
  331.         }
  332.  
  333.         pSpi=(PSYSTEM_PROCESS_INFO)((PUCHAR)pSpi+pSpi->NextEntryOffset);
  334.     }
  335.  
  336.     // Reference the target process
  337.  
  338.     if(!NT_SUCCESS(PsLookupProcessByProcessId(InjectInfo->ProcessId,&Process)))
  339.     {
  340.         DbgPrint("Error: Unable to reference the target process.");
  341.          
  342.         ExFreePool(buffer);
  343.         return FALSE;
  344.     }
  345.  
  346.     DbgPrint("Process name: %s",PsGetProcessImageFileName(Process));
  347.     DbgPrint("EPROCESS address: %#x",Process);
  348.  
  349.     // Reference the target thread
  350.  
  351.     if(!NT_SUCCESS(PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread)))
  352.     {
  353.         DbgPrint("Error: Unable to reference the target thread.");
  354.         ObDereferenceObject(Process); // Dereference the target process
  355.  
  356.         ExFreePool(buffer); // Free the allocated memory
  357.         return FALSE;
  358.     }
  359.  
  360.     DbgPrint("ETHREAD address: %#x",Thread);
  361.  
  362.     ExFreePool(buffer); // Free the allocated memory
  363.     KeAttachProcess(Process); // Attach to target process's address space
  364.  
  365.     mem=NULL;
  366.     size=4096;
  367.  
  368.     // Allocate memory in the target process
  369.  
  370.     if(!NT_SUCCESS(ZwAllocateVirtualMemory(NtCurrentProcess(),(PVOID*)&mem,0,&size,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE)))
  371.     {
  372.         DbgPrint("Error: Unable to allocate memory in the target process.");
  373.         KeDetachProcess(); // Detach from target process's address space
  374.  
  375.         ObDereferenceObject(Process); // Dereference the target process
  376.         ObDereferenceObject(Thread); // Dereference the target thread
  377.  
  378.         return FALSE;
  379.     }
  380.  
  381.     DbgPrint("Memory allocated at %#x",mem);
  382.  
  383.     mem->LdrLoadDll=LdrLoadDll; // Write the address of LdrLoadDll to target process
  384.     wcscpy(mem->Buffer,InjectInfo->DllName); // Write the DLL name to target process
  385.  
  386.     RtlInitUnicodeString(&mem->DllName,mem->Buffer); // Initialize the UNICODE_STRING structure
  387.     ApcState=(PKAPC_STATE)((PUCHAR)Thread+ApcStateOffset); // Calculate the address of the ApcState structure
  388.  
  389.     ApcState->UserApcPending=TRUE; // Force the target thread to execute APC
  390.  
  391.     memcpy((PKINJECT)(mem+1),InjectDllApc,(ULONG)KernelRoutine-(ULONG)InjectDllApc); // Copy the APC code to target process
  392.     DbgPrint("APC code address: %#x",(PKINJECT)(mem+1));
  393.  
  394.     apc=(PKAPC)ExAllocatePool(NonPagedPool,sizeof(KAPC)); // Allocate the APC object
  395.  
  396.     if(!apc)
  397.     {
  398.         DbgPrint("Error: Unable to allocate the APC object.");
  399.         size=0;
  400.  
  401.         ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&mem,&size,MEM_RELEASE);  // Free the allocated memory
  402.         KeDetachProcess(); // Detach from target process's address space
  403.  
  404.         ObDereferenceObject(Process); // Dereference the target process
  405.         ObDereferenceObject(Thread); // Dereference the target thread
  406.  
  407.         return FALSE;
  408.     }
  409.  
  410.     KeInitializeApc(apc,Thread,OriginalApcEnvironment,KernelRoutine,NULL,(PKNORMAL_ROUTINE)((PKINJECT)mem+1),UserMode,mem); // Initialize the APC
  411.     DbgPrint("Inserting APC to target thread");
  412.  
  413.     // Insert the APC to the target thread
  414.  
  415.     if(!KeInsertQueueApc(apc,NULL,NULL,IO_NO_INCREMENT))
  416.     {
  417.         DbgPrint("Error: Unable to insert APC to target thread.");
  418.         size=0;
  419.          
  420.         ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&mem,&size,MEM_RELEASE); // Free the allocated memory
  421.         KeDetachProcess(); // Detach from target process's address space
  422.  
  423.         ObDereferenceObject(Process); // Dereference the target process
  424.         ObDereferenceObject(Thread); // Dereference the target thread
  425.  
  426.         ExFreePool(apc); // Free the APC object
  427.         return FALSE;
  428.     }
  429.  
  430.     delay.QuadPart=-100*10000;
  431.  
  432.     while(!mem->Executed)
  433.     {
  434.         KeDelayExecutionThread(KernelMode,FALSE,&delay); // Wait for the injection to complete
  435.     }
  436.  
  437.     if(!mem->DllBase)
  438.     {
  439.         DbgPrint("Error: Unable to inject DLL into target process.");
  440.         size=0;
  441.  
  442.         ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&mem,&size,MEM_RELEASE);
  443.         KeDetachProcess();
  444.  
  445.         ObDereferenceObject(Process);
  446.         ObDereferenceObject(Thread);
  447.          
  448.         return FALSE;
  449.     }
  450.  
  451.     DbgPrint("DLL injected at %#x",mem->DllBase);
  452.     size=0;
  453.  
  454.     ZwFreeVirtualMemory(NtCurrentProcess(),(PVOID*)&mem,&size,MEM_RELEASE); // Free the allocated memory
  455.     KeDetachProcess(); // Detach from target process's address space
  456.  
  457.     ObDereferenceObject(Process); // Dereference the target process
  458.     ObDereferenceObject(Thread);  // Dereference the target thread
  459.  
  460.     return TRUE;
  461. }
  462.  
  463. NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject,PIRP irp)
  464. {
  465.     PIO_STACK_LOCATION io;
  466.     PINJECT_INFO InjectInfo;
  467.  
  468.     NTSTATUS status;
  469.  
  470.     io=IoGetCurrentIrpStackLocation(irp);
  471.     irp->IoStatus.Information=0;
  472.  
  473.     switch(io->MajorFunction)
  474.     {
  475.         case IRP_MJ_CREATE:
  476.             status=STATUS_SUCCESS;
  477.             break;
  478.         case IRP_MJ_CLOSE:
  479.             status=STATUS_SUCCESS;
  480.             break;
  481.         case IRP_MJ_READ:
  482.             status=STATUS_SUCCESS;
  483.             break;
  484.         case IRP_MJ_WRITE:
  485.  
  486.             InjectInfo=(PINJECT_INFO)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority);
  487.  
  488.             if(!InjectInfo)
  489.             {
  490.                 status=STATUS_INSUFFICIENT_RESOURCES;
  491.                 break;
  492.             }
  493.  
  494.             if(!InjectDll(InjectInfo))
  495.             {
  496.                 status=STATUS_UNSUCCESSFUL;
  497.                 break;
  498.             }
  499.  
  500.             status=STATUS_SUCCESS;
  501.             irp->IoStatus.Information=sizeof(INJECT_INFO);
  502.  
  503.             break;
  504.  
  505.         default:
  506.             status=STATUS_INVALID_DEVICE_REQUEST;
  507.             break;
  508.     }
  509.  
  510.     irp->IoStatus.Status=status;
  511.  
  512.     IoCompleteRequest(irp,IO_NO_INCREMENT);
  513.     return status;
  514. }
  515.  
  516. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
  517. {
  518.     PDEVICE_OBJECT DeviceObject;
  519.     PEPROCESS Process;
  520.     PETHREAD Thread;
  521.     PKAPC_STATE ApcState;
  522.  
  523.     PVOID KdVersionBlock,NtdllBase;
  524.     PULONG ptr,Functions,Names;
  525.     PUSHORT Ordinals;
  526.  
  527.     PLDR_DATA_TABLE_ENTRY MmLoadedUserImageList,ModuleEntry;
  528.     ULONG i;
  529.  
  530.     PIMAGE_DOS_HEADER pIDH;
  531.     PIMAGE_NT_HEADERS pINH;
  532.     PIMAGE_EXPORT_DIRECTORY pIED;
  533.  
  534.     pDriverObject->DriverUnload=Unload;
  535.  
  536.     KdVersionBlock=(PVOID)__readfsdword(0x34); // Get the KdVersionBlock
  537.     MmLoadedUserImageList=*(PLDR_DATA_TABLE_ENTRY*)((PUCHAR)KdVersionBlock+0x228); // Get the MmLoadUserImageList
  538.  
  539.     DbgPrint("KdVersionBlock address: %#x",KdVersionBlock);
  540.     DbgPrint("MmLoadedUserImageList address: %#x",MmLoadedUserImageList);
  541.  
  542.     ModuleEntry=(PLDR_DATA_TABLE_ENTRY)MmLoadedUserImageList->InLoadOrderLinks.Flink; // Move to first entry
  543.     NtdllBase=ModuleEntry->DllBase; // ntdll is always located in first entry
  544.  
  545.     DbgPrint("ntdll base address: %#x",NtdllBase);
  546.  
  547.     pIDH=(PIMAGE_DOS_HEADER)NtdllBase;
  548.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)NtdllBase+pIDH->e_lfanew);
  549.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)NtdllBase+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  550.  
  551.     Functions=(PULONG)((PUCHAR)NtdllBase+pIED->AddressOfFunctions);
  552.     Names=(PULONG)((PUCHAR)NtdllBase+pIED->AddressOfNames);
  553.  
  554.     Ordinals=(PUSHORT)((PUCHAR)NtdllBase+pIED->AddressOfNameOrdinals);
  555.  
  556.     // Parse the export table to locate LdrLoadDll
  557.  
  558.     for(i=0;i<pIED->NumberOfNames;i++)
  559.     {
  560.         if(!strcmp((char*)NtdllBase+Names[i],"LdrLoadDll"))
  561.         {
  562.             LdrLoadDll=(PLDR_LOAD_DLL)((PUCHAR)NtdllBase+Functions[Ordinals[i]]);
  563.             break;
  564.         }
  565.     }
  566.  
  567.     DbgPrint("LdrLoadDll address: %#x",LdrLoadDll);
  568.  
  569.     Process=PsGetCurrentProcess();
  570.     Thread=PsGetCurrentThread();
  571.  
  572.     ptr=(PULONG)Thread;
  573.  
  574.     // Locate the ApcState structure
  575.  
  576.     for(i=0;i<512;i++)
  577.     {
  578.         if(ptr[i]==(ULONG)Process)
  579.         {
  580.             ApcState=CONTAINING_RECORD(&ptr[i],KAPC_STATE,Process); // Get the actual address of KAPC_STATE
  581.             ApcStateOffset=(ULONG)ApcState-(ULONG)Thread; // Calculate the offset of the ApcState structure
  582.  
  583.             break;
  584.         }
  585.     }
  586.  
  587.     DbgPrint("ApcState offset: %#x",ApcStateOffset);
  588.  
  589.     IoCreateDevice(pDriverObject,0,&DeviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&DeviceObject);
  590.     IoCreateSymbolicLink(&SymbolicLink,&DeviceName);
  591.  
  592.     for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
  593.     {
  594.         pDriverObject->MajorFunction[i]=DriverDispatch;
  595.     }
  596.  
  597.     DeviceObject->Flags&=~DO_DEVICE_INITIALIZING;
  598.     DeviceObject->Flags|=DO_DIRECT_IO;
  599.  
  600.     DbgPrint("DLL injection driver loaded.");
  601.     return STATUS_SUCCESS;
  602. }
Add Comment
Please, Sign In to add comment