Skip to content

Instantly share code, notes, and snippets.

@iljavs

iljavs/ProcReveal.c

Created October 15, 2020 16:29
Show Gist options
  • Save iljavs/4148790128f18f64c68aa216c93f56f1 to your computer and use it in GitHub Desktop.
Save iljavs/4148790128f18f64c68aa216c93f56f1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ProcReveal.c
#include <ntddk.h>
#include <windef.h>
#define DEVNAME L"\\Device\\ProcReveal"
#define LINKNAME L"\\??\\ProcReveal"
#define IOCTL_OPEN_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN , 1, METHOD_NEITHER, FILE_ANY_ACCESS)
void PrUnload(PDRIVER_OBJECT DriverObject) {
NTSTATUS status;
UNICODE_STRING sLinkName;
PDEVICE_OBJECT DevObj, t;
DbgPrint("PrUnload called \n");
RtlInitUnicodeString(&sLinkName, LINKNAME);
status = IoDeleteSymbolicLink(&sLinkName);
if (status != STATUS_SUCCESS) {
DbgPrint("IoDeleteSymbolicLink() failed ??!?\n");
}
DevObj = DriverObject->DeviceObject;
while (DevObj) {
t = DevObj->NextDevice;
IoDeleteDevice(DevObj);
DevObj = t;
}
DbgPrint("PrUnload is done, module unloaded \n");
return;
}
NTSTATUS CreateCloseDispatch(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
) {
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS IoctlDispatch(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
) {
PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp);
NTSTATUS status = STATUS_SUCCESS;
DWORD info = 0;
CLIENT_ID cid = {0};
OBJECT_ATTRIBUTES oa = {0};
HANDLE h;
UNREFERENCED_PARAMETER(DeviceObject);
switch (IrpSp->Parameters.DeviceIoControl.IoControlCode) {
case IOCTL_OPEN_PROCESS:
if (IrpSp->Parameters.DeviceIoControl.InputBufferLength != sizeof(HANDLE) || IrpSp->Parameters.DeviceIoControl.OutputBufferLength != sizeof(HANDLE) ) {
status = STATUS_INVALID_BUFFER_SIZE;
goto END;
}
__try {
ProbeForWrite(Irp->UserBuffer, IrpSp->Parameters.DeviceIoControl.OutputBufferLength, 1); // IoMgr should've probed this before. lets do it anyway just to be sure.
ProbeForRead(IrpSp->Parameters.DeviceIoControl.Type3InputBuffer, IrpSp->Parameters.DeviceIoControl.InputBufferLength, 1);
cid.UniqueProcess = *(HANDLE*) IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = STATUS_INVALID_PARAMETER;
goto END;
}
InitializeObjectAttributes(&oa, NULL, OBJ_CASE_INSENSITIVE, 0, NULL);
status = ZwOpenProcess(&h, PROCESS_ALL_ACCESS, &oa, &cid);
if (status != STATUS_SUCCESS) {
goto END;
}
__try {
*(HANDLE*)Irp->UserBuffer = h;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = STATUS_INVALID_PARAMETER;
goto END;
}
info = sizeof(HANDLE);
break;
}
END:
Irp->IoStatus.Information = info;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
PDEVICE_OBJECT DevObject;
UNICODE_STRING sDevName;
UNICODE_STRING sLinkName;
NTSTATUS status;
DbgPrint("Simple DriverEntry called: %wZ\n", RegistryPath);
DriverObject->DriverUnload = PrUnload;
RtlInitUnicodeString(&sDevName, DEVNAME);
RtlInitUnicodeString(&sLinkName, LINKNAME);
status = IoCreateDevice(DriverObject, 0, &sDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DevObject);
if (status != STATUS_SUCCESS) {
DbgPrint("IoCreateDevice() failed\n");
return STATUS_UNSUCCESSFUL;
}
status = IoCreateSymbolicLink(&sLinkName, &sDevName);
if (status != STATUS_SUCCESS) {
DbgPrint("IoCreateSymbolicLink() failed\n");
IoDeleteDevice(DevObject);
return STATUS_UNSUCCESSFUL;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCloseDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateCloseDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoctlDispatch;
DevObject->Flags &= ~DO_DEVICE_INITIALIZING;
DbgPrint("Driver is successfully loaded!\n");
return STATUS_SUCCESS;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment