-
Notifications
You must be signed in to change notification settings - Fork 4
/
Source.cpp
106 lines (94 loc) · 2.22 KB
/
Source.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include <fltKernel.h>
#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
bool gThreadExiting = false;
HANDLE gThreadHandle = nullptr;
PVOID gThreadObject = nullptr;
void
Sleep(unsigned long milliseconds)
{
LARGE_INTEGER interval;
interval.QuadPart = -(10000ll * milliseconds);
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
__declspec(naked) void LetMeGG()
{
_asm {
sub rsp, 0x48
mov eax, 0x5
mov byte ptr ss:[rsp + 0x10], 0x67
mov byte ptr ss:[rsp + 0x11], 0
push rax
lea rax, qword ptr ss:[rsp + 0x18]
mov qword ptr ss:[rsp + 0x40], rax
mov qword ptr ss:[rsp + 0x30], rax
pop rax
mov word ptr ss:[rsp + 0x20], 0x1
mov word ptr ss:[rsp + 0x30], 0x1
lea rdx, ss:[rsp + 0x20]
lea rcx, ss:[rsp + 0x30]
int 0x2D
nop
add rsp, 0x48
ret
}
}
void
ThreadFunction(_In_ PVOID StartContext)
{
while (1)
{
if (gThreadExiting)
{
break;
}
__try
{
LetMeGG();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
dprintf("LetMeGG\n");
Sleep(1);
}
}
void
ThreadStop()
{
gThreadExiting = true;
if (gThreadObject)
{
KeWaitForSingleObject(gThreadObject, Executive, KernelMode, FALSE, nullptr);
}
if (gThreadHandle)
{
ZwClose(gThreadHandle);
}
gThreadObject = nullptr;
gThreadHandle = nullptr;
}
void
DriverUnLoad(_In_ struct _DRIVER_OBJECT *DriverObject)
{
ThreadStop();
dprintf("free world\n");
}
EXTERN_C
NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
dprintf("new world\n");
DriverObject->DriverUnload = DriverUnLoad;
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, nullptr, OBJ_KERNEL_HANDLE, nullptr, nullptr);
auto ns = PsCreateSystemThread(&gThreadHandle, GENERIC_ALL, &oa, nullptr, nullptr, ThreadFunction, nullptr);
if (ns >= 0)
{
ns = ObReferenceObjectByHandle(gThreadHandle, 0, nullptr, KernelMode, &gThreadObject, nullptr);
if (ns < 0)
{
ThreadStop();
}
}
return STATUS_SUCCESS;
}