driver code so far

Author: sum-catnip

CMakeLists.txt

@@ -0,0 +1,44 @@
+cmake_minimum_required(VERSION 3.23.0)
+project(kptnhook VERSION 0.1.0)
+
+#include(CTest)
+#enable_testing()
+
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/deps/findwdk/cmake")
+find_package(WDK REQUIRED)
+
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/shellcode32.asm)
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/shellcode64.asm)
+set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS src/shellcode/structs.asm)
+
+exec_program(powershell "${CMAKE_CURRENT_LIST_DIR}"
+             ARGS -ExecutionPolicy Bypass -File ${CMAKE_CURRENT_LIST_DIR}\\compile-shellcode.ps1 ${CMAKE_CURRENT_LIST_DIR}\\src\\shellcode\\shellcode32.asm
+             OUTPUT_VARIABLE SHELLCODE_BYTES32)
+
+message("compiled 32bit shellcode: ${SHELLCODE_BYTES32}")
+
+exec_program(powershell "${CMAKE_CURRENT_LIST_DIR}"
+             ARGS -ExecutionPolicy Bypass -File ${CMAKE_CURRENT_LIST_DIR}\\compile-shellcode.ps1 ${CMAKE_CURRENT_LIST_DIR}\\src\\shellcode\\shellcode64.asm
+             OUTPUT_VARIABLE SHELLCODE_BYTES64)
+
+message("compiled 64bit shellcode: ${SHELLCODE_BYTES64}")
+
+wdk_add_driver(kptnhook src/main.cpp)
+
+target_compile_definitions(kptnhook PUBLIC ARR_SHELLCODE32=${SHELLCODE_BYTES32})
+target_compile_definitions(kptnhook PUBLIC ARR_SHELLCODE64=${SHELLCODE_BYTES64})
+add_custom_command(TARGET kptnhook POST_BUILD
+    COMMAND ${WDK_ROOT}/bin/${WDK_VERSION}/x64/signtool.exe sign /v /n kptnhook $<TARGET_FILE:kptnhook>
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+    COMMENT "signing kernel driver"
+)
+
+add_subdirectory(src)
+add_subdirectory(include/kptnhook)
+#add_subdirectory(deps)
+
+set(CPACK_PROJECT_NAME ${PROJECT_NAME})
+set(CPACK_PROJECT_VERSION ${PROJECT_VERSION})
+include(CPack)
+
+message(${WDK_ROOT}/bin/${WDK_VERSION}/x64/signtool.exe )

compile-shellcode.ps1

@@ -0,0 +1,19 @@
+<#
+    compiles an asm file into a c-style byte array
+#>
+param (
+    # path to asm file
+    [parameter(mandatory=$true)]
+    [string]$path
+)
+
+$nasm = "$env:LOCALAPPDATA\bin\NASM\nasm.exe"
+
+if (-not (test-path $nasm)) {
+    write-error "nasm.exe not found in appdata. install nasm for local user to continue."
+    exit 1
+}
+
+$tempfile = "$env:TEMP\shellcode.bin"
+& $nasm $path -f bin -o $tempfile
+'{ ' + ((format-hex $tempfile | select -expand bytes | % { '0x{0:x2}' -f $_ }) -join ', ') + ' }'

create_cert.ps1

@@ -0,0 +1 @@
+New-SelfSignedCertificate -Subject "kptnhook" -Type CodeSigningCert -CertStoreLocation cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(99)

deps/CMakeLists.txt

@@ -0,0 +1 @@
+target_include_directories(kptnhook PUBLIC ${CMAKE_CURRENT_SOURCE_DIR})

include/kptnhook/CMakeLists.txt

@@ -0,0 +1,12 @@
+#pragma once
+#include <ntifs.h>
+
+enum bit { x64, x32 };
+enum compat { native, wow };
+struct arch {
+    bit b;
+    compat com;
+};
+
+/// figure out the architecture of a peprocess
+arch proc_arch(PEPROCESS p);

include/kptnhook/arch.h

@@ -0,0 +1,10 @@
+#pragma once
+
+#include <ntifs.h>
+
+struct driverctx {
+    PDRIVER_OBJECT obj;
+    PUNICODE_STRING registry_path; 
+};
+
+extern driverctx GLOBAL;

include/kptnhook/drvglobal.h

@@ -0,0 +1,9 @@
+#pragma once
+#include <ntifs.h>
+
+constexpr UNICODE_STRING KNOWN_DLLS[] = {
+	RTL_CONSTANT_STRING(L"gi_agent.dll")
+};
+
+void on_image_load(PUNICODE_STRING img_name, HANDLE proc, PIMAGE_INFO info);
+void on_create_proc(HANDLE parent_pid, HANDLE pid, BOOLEAN create);

include/kptnhook/handler.h

@@ -0,0 +1,23 @@
+#pragma once
+#include <ntifs.h>
+
+constexpr UINT8 stub64[] = { 0xff, 0x25, 0x00, 0x00, 0x00, 0x00 };
+constexpr auto STUB_SIZE64 = sizeof(stub64) + sizeof(UINT64);
+
+constexpr UINT8 stub32[] = { 0xe9 };
+constexpr auto STUB_SIZE32 = sizeof(stub32) + sizeof(UINT32);
+
+#ifdef ARR_SHELLCODE32
+#else
+#define ARR_SHELLCODE32 { 0 }
+#error shellcode not defined, use the cmake build as it defined this
+#endif
+
+#ifdef ARR_SHELLCODE64
+#else
+#define ARR_SHELLCODE64 { 0 }
+#error shellcode not defined, use the cmake build as it defined this
+#endif
+
+void hook64(void* func, void* target);
+void hook32(void* func, void* target);

include/kptnhook/hook.h

@@ -0,0 +1,6 @@
+#pragma once
+#include <ntifs.h>
+#include <arch.h>
+
+NTSTATUS remove_known_dll(const UNICODE_STRING* filename, bool native_arch);
+NTSTATUS add_known_dll(const UNICODE_STRING* filename, arch a);

include/kptnhook/known_dlls.h

@@ -0,0 +1,18 @@
+#pragma once
+
+#include <ntifs.h>
+
+constexpr auto LOG_LEVEL_DBG   = 4;
+constexpr auto LOG_LEVEL_TRACE = 3;
+constexpr auto LOG_LEVEL_INFO  = 2;
+constexpr auto LOG_LEVEL_WARN  = 1;
+constexpr auto LOG_LEVEL_ERR   = 0;
+
+#define log_debug(s, ...) DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_LEVEL_DBG,   "[kptnhook2][debug] " s "\n", __VA_ARGS__)
+#define log_trace(s, ...) DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_LEVEL_TRACE, "[kptnhook2][trace] " s "\n", __VA_ARGS__)
+#define log_info(s, ...)  DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_LEVEL_INFO,  "[kptnhook2][info]  " s "\n", __VA_ARGS__)
+#define log_warn(s, ...)  DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_LEVEL_WARN,  "[kptnhook2][warn]  " s "\n", __VA_ARGS__)
+#define log_error(s, ...) DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_LEVEL_ERR,   "[kptnhook2][error] " s "\n", __VA_ARGS__)
+
+#define guard_log(cond, code, msg, ...) if(cond) { log_error(msg, __VA_ARGS__); return code; }
+#define guard_nts(status, msg, ...) guard_log(!NT_SUCCESS(status), status, msg, __VA_ARGS__);

include/kptnhook/log.h

@@ -0,0 +1,5 @@
+#pragma once
+#include <ntifs.h>
+
+extern "C" NTSTATUS NTAPI DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg_path);
+void NTAPI unload(PDRIVER_OBJECT drv);

include/kptnhook/main.h

@@ -0,0 +1,5 @@
+#pragma once
+#include <ntifs.h>
+
+bool match_filename(PUNICODE_STRING path, PUNICODE_STRING filename);
+bool match_filename_ascii(char* path, char* filename);

include/kptnhook/path.h

@@ -0,0 +1,5 @@
+#pragma once
+
+#define addroffset(type, addr, off) reinterpret_cast<type*>(reinterpret_cast<uintptr_t>(addr) + off)
+#define addr_relative_to(a1, a2) reinterpret_cast<size_t>(a1) - reinterpret_cast<size_t>(a2)
+#define towow64(ptr) static_cast<UINT32>(reinterpret_cast<UINT_PTR>(ptr))

include/kptnhook/pointers.h

@@ -0,0 +1,41 @@
+#pragma once
+#include <ntifs.h>
+
+#define _CONCAT(x,y) x ## y
+#define CONCAT(x,y) _CONCAT(x,y)
+
+template<class T>
+class raiiwrap {
+public:
+	raiiwrap(T inner) : m_inner(inner) {}
+protected:
+	T m_inner;
+};
+
+#define bind_peprocess(p) auto CONCAT(anonymous, __LINE__) = peprocess_res(p);
+class peprocess_res : public raiiwrap<PEPROCESS> {
+public:
+	peprocess_res(PEPROCESS p) : raiiwrap(p) {};
+	~peprocess_res() { ObDereferenceObject(m_inner); }
+};
+
+#define bind_handle(h) auto CONCAT(anonymous, __LINE__) = handle_res(h);
+class handle_res : public raiiwrap<HANDLE> {
+public: 
+	handle_res(HANDLE p) : raiiwrap(p) {};
+	~handle_res() { ZwClose(m_inner); }
+};
+
+#define bind_kapc_state(p) auto CONCAT(anonymous, __LINE__) = kapc_state_res(p);
+class kapc_state_res : public raiiwrap<PKAPC_STATE> {
+public:
+	kapc_state_res(PKAPC_STATE p) : raiiwrap(p) {};
+	~kapc_state_res() { KeUnstackDetachProcess(m_inner); }
+};
+
+#define bind_alloc(p) auto CONCAT(anonymous, __LINE__) = alloc_res(p);
+class alloc_res : public raiiwrap<PVOID> {
+public:
+	alloc_res(PVOID p) : raiiwrap(p) {};
+	~alloc_res() { if(m_inner) ExFreePool(m_inner); }
+};