KernelMode.info

Where can I get these 2 files :

"rtls\prtl.h"
"ntdll\winnative.h"

alaf1234567890 wrote:Where can I get these 2 files :

"rtls\prtl.h"
"ntdll\winnative.h"

Nowhere. It is our C runtime reimplementation and native API based support routines you have to implement yourself.

I get handle to the device after loading driver,
but DeviceIoControl (in ControlDSE) returns incorrect output :


#define VBoxDrvDevName L"\\\\.\\VBoxDrv"


main.cpp ========================================

hDriver = NativeOpenDevice(VBoxDrvDevName);


Winnative.cpp ===================================

HANDLE NativeOpenDevice(WCHAR DevName[BUFFER_SIZE])
{
HANDLE hDriver = CreateFileW(DevName,
FILE_ALL_ACCESS,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
NULL);

return hDriver;
}


main.cpp -> ControlDSE ==========================

if (!DeviceIoControl(hDriver, SUP_IOCTL_COOKIE, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) goto fail;

Your vbox driver is different. This vulnerability is patched in higher version of vbox and won't work the same way.

http://www.kernelmode.info/forum/viewto ... 352#p22352

Winnative for this project:

Heh. Nice work. Although we use own made string manipulation routines and Native API with Nt_Map_Zw in winnative.

Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail

TurlaBoy wrote:Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail

I agree with you. The thing of driver signing and certificates is more about business than security. AFAIK nothing really forces you to revoke your code signing certificate when a vulnerability in your driver is found, allowing to bypass DSE etc. is found. Hence, the DSE filters out only people that are developing open source software and do not want to pay and those who cannot pass the verification process (if you have a valid passport, you won't have any problem).

Small cosmetic update to reflect latest idiotic changes in Windows 10 TP 9901 build. Compiled executable cleaned from AV detection.

https://www.virustotal.com/en/file/1865 ... /analysis/

Hello EP_X0FF !
What version of VBox driver you use?
Спасибо)