refactor: 🔨 Rewrite BYOVD

frack113 · Oct 19, 2024 · 6dee87d · 6dee87d
1 parent ae8abfd
commit 6dee87d
Showing 1 changed file with 28 additions and 73 deletions.
diff --git a/src/actions/drivers/byovd.rs b/src/actions/drivers/byovd.rs
@@ -4,13 +4,12 @@
 
 use crate::{actions::Runnable, windows::users::is_administrator};
 use clap::Parser;
-use std::{error::Error, thread, time};
+use std::{error::Error, path::PathBuf};
 use windows::{
-    core::{Result as WindowsResult, PCWSTR},
+    core::{Owned, Result as WindowsResult, HSTRING, PCWSTR},
     Win32::System::Services::{
-        ControlService, CreateServiceW, DeleteService, OpenSCManagerW, StartServiceW,
-        ENUM_SERVICE_TYPE, SC_HANDLE, SC_MANAGER_ALL_ACCESS, SERVICE_CONTROL_STOP, SERVICE_ERROR,
-        SERVICE_START_TYPE, SERVICE_STATUS,
+        CreateServiceW, OpenSCManagerW, StartServiceW, SC_HANDLE, SC_MANAGER_ALL_ACCESS,
+        SC_MANAGER_CREATE_SERVICE, SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, SERVICE_KERNEL_DRIVER,
     },
 };
 
@@ -21,91 +20,47 @@ pub struct Byovd {
     #[clap(required = true, help = "Displayed Name of the service")]
     display: String,
     #[clap(required = true, help = "Full path to the driver eg: c:\\temp...")]
-    path: String,
+    path: PathBuf,
 }
 
-fn create_driver_service(name: &str, details: &str, path: &str) -> bool {
-    println!("Open the service manager");
-    let scmanager: SC_HANDLE =
-        unsafe { OpenSCManagerW(PCWSTR::null(), PCWSTR::null(), SC_MANAGER_ALL_ACCESS) }
-            .expect("Sc Manager open failure");
-
-    let mut service_name: Vec<u16> = name.encode_utf16().collect();
-    service_name.push(0);
-    let mut service_display: Vec<u16> = details.encode_utf16().collect();
-    service_display.push(0);
-    let mut service_path: Vec<u16> = path.encode_utf16().collect();
-    service_path.push(0);
-
-    println!("Create the service manager");
+fn load_driver(name: &str, details: &str, path: &str) -> WindowsResult<()> {
+    unsafe {
+        let service_manager: Owned<SC_HANDLE> = Owned::new(OpenSCManagerW(
+            PCWSTR::null(),
+            PCWSTR::null(),
+            SC_MANAGER_CREATE_SERVICE,
+        )?);
 
-    let service_handle: SC_HANDLE = match unsafe {
-        CreateServiceW(
-            scmanager,
-            PCWSTR::from_raw(service_name.as_ptr()),
-            PCWSTR::from_raw(service_display.as_ptr()),
-            0xF003F,
-            ENUM_SERVICE_TYPE(1),
-            SERVICE_START_TYPE(2),
-            SERVICE_ERROR(0),
-            PCWSTR::from_raw(service_path.as_ptr()),
+        let service: Owned<SC_HANDLE> = Owned::new(CreateServiceW(
+            *service_manager,
+            &HSTRING::from(name),
+            &HSTRING::from(details),
+            SC_MANAGER_ALL_ACCESS,
+            SERVICE_KERNEL_DRIVER,
+            SERVICE_AUTO_START,
+            SERVICE_ERROR_IGNORE,
+            &HSTRING::from(path),
             PCWSTR::null(),
             None,
             PCWSTR::null(),
             PCWSTR::null(),
             PCWSTR::null(),
-        )
-    } {
-        Ok(value) => value,
-        Err(_) => {
-            println!("Service creation failure");
-            return false;
-        }
-    };
-
-    println!("Start Service ");
-
-    match unsafe { StartServiceW(service_handle, None) } {
-        Ok(_) => {
-            println!("Wait a little");
-            let sleep_duration: time::Duration = time::Duration::from_millis(2000);
-            thread::sleep(sleep_duration);
-            let mut service_status: SERVICE_STATUS = unsafe { std::mem::zeroed() };
-            println!("Stop Service");
-            let _result_stop: WindowsResult<()> = unsafe {
-                ControlService(service_handle, SERVICE_CONTROL_STOP, &mut service_status)
-            };
-        }
-        Err(value) => {
-            println!("Service Start failure with code : {:#06x}", value.code().0);
-        }
-    };
+        )?);
 
-    match unsafe { DeleteService(service_handle) } {
-        Ok(_) => {
-            println!("Service remove succeed");
-            true
-        }
-        Err(value) => {
-            println!("Service remove failure with code : {:#06x}", value.code().0);
-            false
-        }
+        Ok(StartServiceW(*service, None)?)
     }
 }
 
 impl Runnable for Byovd {
     fn run(&self) -> Result<(), Box<dyn Error>> {
-        println!("Bring Your Own Vulnerable Driver");
-
         if !is_administrator()? {
-            println!("Need to have Administrator right to create the service");
             return Ok(());
         }
 
-        // Todo check path is valid or not :)
-
-        let result: bool = create_driver_service(&self.internal, &self.display, &self.path);
-
-        Ok(())
+        Ok(load_driver(
+            &self.internal,
+            &self.display,
+            self.path.to_str().unwrap(),
+        )?)
     }
 }