[原创]condrv.sys 拒绝服务漏洞补丁-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]condrv.sys 拒绝服务漏洞补丁

发表于: 2021-1-21 20:56 5930

[原创]condrv.sys 拒绝服务漏洞补丁

Adventure

2021-1-21 20:56

5930

今天微信朋友圈被蓝屏刷屏了，各大厂商也都在出热补，写着玩，不知道会不会PG
#include "ntifs.h"
 
EXTERN_C POBJECT_TYPE* IoDriverObjectType;
 
EXTERN_C NTSTATUS ObReferenceObjectByName(

    PUNICODE_STRING ObjectName,

    ULONG Attributes,

    PACCESS_STATE AccessState,

    ACCESS_MASK DesiredAccess,

    POBJECT_TYPE ObjectType,

    KPROCESSOR_MODE AccessMode,

    PVOID ParseContext,

    PVOID* Object
);
 
// 全局变量

PDRIVER_OBJECT   g_Con = NULL;

PDRIVER_DISPATCH g_OriginalCreate = NULL;
 
NTSTATUS HookCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{

    PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp);

    DbgPrint("Open File:%wZ\n", &pStack->FileObject->FileName);
 
    UNICODE_STRING usFileName = { 0 };

    RtlInitUnicodeString(&usFileName, L"\\KernelConnect");

    if (RtlCompareUnicodeString(&pStack->FileObject->FileName, &usFileName, TRUE) == 0)

    {

        // 走到这里说明在访问漏洞函数了，再检查请求是否来自UserMode

        if (Irp->RequestorMode)

        {

            Irp->IoStatus.Information = 0;

            Irp->IoStatus.Status = STATUS_ACCESS_DENIED;

            IoCompleteRequest(Irp, IO_NO_INCREMENT);

            return  Irp->IoStatus.Status;

        }

    }
 
    return g_OriginalCreate(DeviceObject, Irp);
 
}
 
NTSTATUS Init()
{

    NTSTATUS status = STATUS_UNSUCCESSFUL;

    UNICODE_STRING usDrvName = { 0 };
 
    // install Hook

    RtlInitUnicodeString(&usDrvName, L"\\Driver\\condrv");

    status = ObReferenceObjectByName(&usDrvName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&g_Con);

    if (!NT_SUCCESS(status))

    {

        DbgPrint("Couldn't get the driver object \n");

        return status;

    }

    else

    {

        // Start Hooking

        if (!g_OriginalCreate)

        {

            g_OriginalCreate = g_Con->MajorFunction[IRP_MJ_CREATE];

            g_Con->MajorFunction[IRP_MJ_CREATE] = HookCreate;

        }
 
        DbgPrint("Hook: HOOK driver object! Success\n");

    }

    return STATUS_SUCCESS;
}
 
void UnInit()
{

    if (g_Con)

    {

        g_Con->MajorFunction[IRP_MJ_CREATE] = g_OriginalCreate;

        g_OriginalCreate = NULL;

        ObDereferenceObject(g_Con);

        g_Con = NULL;

        DbgPrint("Restore hook!\n");

    }
}
 
void DriverUnload(PDRIVER_OBJECT DriverObject)
{

    UNREFERENCED_PARAMETER(DriverObject);

    DbgPrint("Driver Unloadiang\n");

    UnInit();
}
 
EXTERN_C_START
NTSTATUS DriverEntry(PDRIVER_OBJECT  DriverObject, PUNICODE_STRING RegistryPath)
{

    UNREFERENCED_PARAMETER(RegistryPath);

    DriverObject->DriverUnload = DriverUnload;
 
    ULONG MajorVersion = 0;

    ULONG MinorVersion = 0;

    ULONG BuildNumber = 0;
 
    PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, 0);

    if (MajorVersion == 10 && BuildNumber >= 15063)

    {

        Init();

    }

    return STATUS_SUCCESS;
}
EXTERN_C_END
#include "ntifs.h"
 
EXTERN_C POBJECT_TYPE* IoDriverObjectType;
 
EXTERN_C NTSTATUS ObReferenceObjectByName(

    PUNICODE_STRING ObjectName,

    ULONG Attributes,

    PACCESS_STATE AccessState,

    ACCESS_MASK DesiredAccess,

    POBJECT_TYPE ObjectType,

    KPROCESSOR_MODE AccessMode,

    PVOID ParseContext,

    PVOID* Object
);
 
// 全局变量

PDRIVER_OBJECT   g_Con = NULL;

PDRIVER_DISPATCH g_OriginalCreate = NULL;
 
NTSTATUS HookCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{

    PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp);

    DbgPrint("Open File:%wZ\n", &pStack->FileObject->FileName);
 
    UNICODE_STRING usFileName = { 0 };

    RtlInitUnicodeString(&usFileName, L"\\KernelConnect");

    if (RtlCompareUnicodeString(&pStack->FileObject->FileName, &usFileName, TRUE) == 0)

    {

        // 走到这里说明在访问漏洞函数了，再检查请求是否来自UserMode

        if (Irp->RequestorMode)

        {

            Irp->IoStatus.Information = 0;

            Irp->IoStatus.Status = STATUS_ACCESS_DENIED;

            IoCompleteRequest(Irp, IO_NO_INCREMENT);

            return  Irp->IoStatus.Status;

        }

    }
 
    return g_OriginalCreate(DeviceObject, Irp);
 
}
 
NTSTATUS Init()
{

    NTSTATUS status = STATUS_UNSUCCESSFUL;

    UNICODE_STRING usDrvName = { 0 };
 
    // install Hook

    RtlInitUnicodeString(&usDrvName, L"\\Driver\\condrv");

    status = ObReferenceObjectByName(&usDrvName, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, (PVOID*)&g_Con);

    if (!NT_SUCCESS(status))

				登录后可查看完整内容
			
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・2

免费・1

支持

最新回复 (4)
evilkis 雪币： 596 活跃值： (449) 能力值： ( LV12，RANK：320 ) 在线值：发帖 15 回帖 509 粉丝 8 关注私信	evilkis 7 2 楼火绒的热补丁就是这么做的 2021-1-22 00:36 0
wowocock 雪币： 405 活跃值： (2280) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 298 粉丝 21 关注私信	wowocock 1 3 楼根本就不是检测模式的问题，而是他的垃圾代码里到处都是坑。内核模式下一样挂，比如随便写个驱动在DRIVERENTRY里调用TestCreateconDrv NTSTATUS TestCreateconDrv() { OBJECT_ATTRIBUTES ObjA; NTSTATUS Status; IO_STATUS_BLOCK IoStatusBlock; HANDLE FileHandle; UNICODE_STRING uCondrv; RtlInitUnicodeString(&uCondrv, L"\\??\\GLOBALROOT\\Device\\ConDrv\\KernelConnect"); InitializeObjectAttributes(&ObjA, &uCondrv, OBJ_CASE_INSENSITIVE\|OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwCreateFile(&FileHandle, GENERIC_WRITE, &ObjA, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT \| FILE_NON_DIRECTORY_FILE \| FILE_SEQUENTIAL_ONLY, NULL, 0 ); if (NT_SUCCESS(Status)) { ZwClose(FileHandle); } return Status; } 2021-1-25 17:29 0
wowocock 雪币： 405 活跃值： (2280) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 298 粉丝 21 关注私信	wowocock 1 4 楼建议把CREATE CLEANUP ,CLOSE都PATCH了 EXTERN_C POBJECT_TYPE* IoDriverObjectType; EXTERN_C NTSTATUS ObReferenceObjectByName( PUNICODE_STRING ObjectName, ULONG Attributes, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID* Object ); // 全局变量 PDRIVER_OBJECT g_Con = NULL; PDRIVER_DISPATCH g_OriginalCreate = NULL; PDRIVER_DISPATCH g_OriginalCleanup = NULL; PDRIVER_DISPATCH g_OriginalClose = NULL; NTSTATUS HookCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); DbgPrint("Open File:%wZ\n", &pStack->FileObject->FileName); RtlInitUnicodeString(&usFileName, L"\\KernelConnect"); if (RtlCompareUnicodeString(&pStack->FileObject->FileName, &usFileName, TRUE) == 0) { // 走到这里说明在访问漏洞函数了，再检查请求是否来自UserMode if (Irp->RequestorMode) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } } return g_OriginalCreate(DeviceObject, Irp); } NTSTATUS HookCleanup(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); if (!MmIsAddressValid(pStack->FileObject) \|\| !MmIsAddressValid(pStack->FileObject->FsContext)) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } return g_OriginalCleanup(DeviceObject, Irp); } NTSTATUS HookClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); if (!MmIsAddressValid(pStack->FileObject) \|\| !MmIsAddressValid(pStack->FileObject->FsContext)) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } return g_OriginalClose(DeviceObject, Irp); } NTSTATUS Init() { NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING usDrvName = { 0 }; // install Hook RtlInitUnicodeString(&usDrvName, L"\\Driver\\condrv"); status = ObReferenceObjectByName(&usDrvName, OBJ_CASE_INSENSITIVE, NULL, 0, IoDriverObjectType, KernelMode, NULL, (PVOID)&g_Con); if (!NT_SUCCESS(status)) { DbgPrint("Couldn't get the driver object \n"); return status; } else { // Start Hooking if (!g_OriginalCreate) { g_OriginalCreate = g_Con->MajorFunction[IRP_MJ_CREATE]; g_Con->MajorFunction[IRP_MJ_CREATE] = HookCreate; } if (!g_OriginalCleanup) { g_OriginalCleanup = g_Con->MajorFunction[IRP_MJ_CLEANUP]; g_Con->MajorFunction[IRP_MJ_CLEANUP] = HookCleanup; } if (!g_OriginalClose) { g_OriginalClose = g_Con->MajorFunction[IRP_MJ_CLOSE]; g_Con->MajorFunction[IRP_MJ_CLOSE] = HookClose; } DbgPrint("Hook: HOOK driver object! Success\n"); } return STATUS_SUCCESS; } void UnInit() { if (g_Con) { g_Con->MajorFunction[IRP_MJ_CREATE] = g_OriginalCreate; g_OriginalCreate = NULL; g_Con->MajorFunction[IRP_MJ_CLEANUP] = g_OriginalCleanup; g_OriginalCleanup = NULL; g_Con->MajorFunction[IRP_MJ_CLOSE] = g_OriginalClose; g_OriginalClose = NULL; ObDereferenceObject(g_Con); g_Con = NULL; DbgPrint("Restore hook!\n"); } } 2021-1-25 17:40 0
evilkis 雪币： 596 活跃值： (449) 能力值： ( LV12，RANK：320 ) 在线值：发帖 15 回帖 509 粉丝 8 关注私信	evilkis 7 5 楼 wowocock 根本就不是检测模式的问题，而是他的垃圾代码里到处都是坑。内核模式下一样挂，比如随便写个驱动在DRIVERENTRY里调用TestCreateconDrv NTSTATUS TestCreateco ... 本质是 CREATE IRP返回失败没有设置IoStatus,你说的内核模式一样挂也是因为多处返回没有设置IoStatus 第一个内核模式判断eabufer有无attach字符串没有返回的失败就没设置IoStatus 2021-1-26 23:28 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Adventure

发帖

回帖

113

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
evilkis 雪币： 596 活跃值： (449) 能力值： ( LV12，RANK：320 ) 在线值：发帖 15 回帖 509 粉丝 8 关注私信	evilkis 7 2 楼火绒的热补丁就是这么做的 2021-1-22 00:36 0
wowocock 雪币： 405 活跃值： (2280) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 298 粉丝 21 关注私信	wowocock 1 3 楼根本就不是检测模式的问题，而是他的垃圾代码里到处都是坑。内核模式下一样挂，比如随便写个驱动在DRIVERENTRY里调用TestCreateconDrv NTSTATUS TestCreateconDrv() { OBJECT_ATTRIBUTES ObjA; NTSTATUS Status; IO_STATUS_BLOCK IoStatusBlock; HANDLE FileHandle; UNICODE_STRING uCondrv; RtlInitUnicodeString(&uCondrv, L"\\??\\GLOBALROOT\\Device\\ConDrv\\KernelConnect"); InitializeObjectAttributes(&ObjA, &uCondrv, OBJ_CASE_INSENSITIVE\|OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwCreateFile(&FileHandle, GENERIC_WRITE, &ObjA, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT \| FILE_NON_DIRECTORY_FILE \| FILE_SEQUENTIAL_ONLY, NULL, 0 ); if (NT_SUCCESS(Status)) { ZwClose(FileHandle); } return Status; } 2021-1-25 17:29 0
wowocock 雪币： 405 活跃值： (2280) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 298 粉丝 21 关注私信	wowocock 1 4 楼建议把CREATE CLEANUP ,CLOSE都PATCH了 EXTERN_C POBJECT_TYPE* IoDriverObjectType; EXTERN_C NTSTATUS ObReferenceObjectByName( PUNICODE_STRING ObjectName, ULONG Attributes, PACCESS_STATE AccessState, ACCESS_MASK DesiredAccess, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, PVOID ParseContext, PVOID* Object ); // 全局变量 PDRIVER_OBJECT g_Con = NULL; PDRIVER_DISPATCH g_OriginalCreate = NULL; PDRIVER_DISPATCH g_OriginalCleanup = NULL; PDRIVER_DISPATCH g_OriginalClose = NULL; NTSTATUS HookCreate(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); DbgPrint("Open File:%wZ\n", &pStack->FileObject->FileName); RtlInitUnicodeString(&usFileName, L"\\KernelConnect"); if (RtlCompareUnicodeString(&pStack->FileObject->FileName, &usFileName, TRUE) == 0) { // 走到这里说明在访问漏洞函数了，再检查请求是否来自UserMode if (Irp->RequestorMode) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } } return g_OriginalCreate(DeviceObject, Irp); } NTSTATUS HookCleanup(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); if (!MmIsAddressValid(pStack->FileObject) \|\| !MmIsAddressValid(pStack->FileObject->FsContext)) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } return g_OriginalCleanup(DeviceObject, Irp); } NTSTATUS HookClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { UNICODE_STRING usFileName = { 0 }; PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(Irp); if (!MmIsAddressValid(pStack->FileObject) \|\| !MmIsAddressValid(pStack->FileObject->FsContext)) { Irp->IoStatus.Information = 0; Irp->IoStatus.Status = STATUS_ACCESS_DENIED; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status; } return g_OriginalClose(DeviceObject, Irp); } NTSTATUS Init() { NTSTATUS status = STATUS_UNSUCCESSFUL; UNICODE_STRING usDrvName = { 0 }; // install Hook RtlInitUnicodeString(&usDrvName, L"\\Driver\\condrv"); status = ObReferenceObjectByName(&usDrvName, OBJ_CASE_INSENSITIVE, NULL, 0, IoDriverObjectType, KernelMode, NULL, (PVOID)&g_Con); if (!NT_SUCCESS(status)) { DbgPrint("Couldn't get the driver object \n"); return status; } else { // Start Hooking if (!g_OriginalCreate) { g_OriginalCreate = g_Con->MajorFunction[IRP_MJ_CREATE]; g_Con->MajorFunction[IRP_MJ_CREATE] = HookCreate; } if (!g_OriginalCleanup) { g_OriginalCleanup = g_Con->MajorFunction[IRP_MJ_CLEANUP]; g_Con->MajorFunction[IRP_MJ_CLEANUP] = HookCleanup; } if (!g_OriginalClose) { g_OriginalClose = g_Con->MajorFunction[IRP_MJ_CLOSE]; g_Con->MajorFunction[IRP_MJ_CLOSE] = HookClose; } DbgPrint("Hook: HOOK driver object! Success\n"); } return STATUS_SUCCESS; } void UnInit() { if (g_Con) { g_Con->MajorFunction[IRP_MJ_CREATE] = g_OriginalCreate; g_OriginalCreate = NULL; g_Con->MajorFunction[IRP_MJ_CLEANUP] = g_OriginalCleanup; g_OriginalCleanup = NULL; g_Con->MajorFunction[IRP_MJ_CLOSE] = g_OriginalClose; g_OriginalClose = NULL; ObDereferenceObject(g_Con); g_Con = NULL; DbgPrint("Restore hook!\n"); } } 2021-1-25 17:40 0
evilkis 雪币： 596 活跃值： (449) 能力值： ( LV12，RANK：320 ) 在线值：发帖 15 回帖 509 粉丝 8 关注私信	evilkis 7 5 楼 wowocock 根本就不是检测模式的问题，而是他的垃圾代码里到处都是坑。内核模式下一样挂，比如随便写个驱动在DRIVERENTRY里调用TestCreateconDrv NTSTATUS TestCreateco ... 本质是 CREATE IRP返回失败没有设置IoStatus,你说的内核模式一样挂也是因为多处返回没有设置IoStatus 第一个内核模式判断eabufer有无attach字符串没有返回的失败就没设置IoStatus 2021-1-26 23:28 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复