fix bugs

Author: TechForBad

CECheater/CECheater.vcxproj

@@ -95,6 +95,7 @@
       <PrecompiledHeader>NotUsing</PrecompiledHeader>
       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <LanguageStandard>stdcpp17</LanguageStandard>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -113,6 +114,7 @@
       <PrecompiledHeader>NotUsing</PrecompiledHeader>
       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <LanguageStandard>stdcpp17</LanguageStandard>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -131,6 +133,7 @@
       <PrecompiledHeader>NotUsing</PrecompiledHeader>
       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <LanguageStandard>stdcpp17</LanguageStandard>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -149,6 +152,7 @@
       <PrecompiledHeader>NotUsing</PrecompiledHeader>
       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <LanguageStandard>stdcpp17</LanguageStandard>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>

CECheater/MemLoadDriver.cpp

@@ -473,7 +473,7 @@ static BYTE shellcode_JmpDriverEntry[] = {
 };
 
 // 加载自己的未签名驱动
-bool DBK_LoadMyDriver(const wchar_t* driverFileName, const wchar_t* driverName)
+bool DBK_LoadMyDriver(LoadType loadType, const wchar_t* driverFilePath, const wchar_t* driverName)
 {
     bool result = true;
 
@@ -492,14 +492,6 @@ bool DBK_LoadMyDriver(const wchar_t* driverFileName, const wchar_t* driverName)
     {
         // 构造映像内存Image
         // 1.将文件映射到内存pFileBuffer，文件大小为fileBufferLen，映像大小为imageSize
-        WCHAR driverFilePath[MAX_PATH] = { 0 };
-        if (!GetCurrentModuleDirPath(driverFilePath))
-        {
-            LOG("GetCurrentModuleDirPath failed");
-            result = false;
-            break;
-        }
-        wcscat(driverFilePath, driverFileName);
         pFileBuffer = LoadFileToMemory(driverFilePath, fileBufferLen);
         if (NULL == pFileBuffer || 0 == fileBufferLen)
         {
@@ -563,8 +555,7 @@ bool DBK_LoadMyDriver(const wchar_t* driverFileName, const wchar_t* driverName)
         // 获取驱动起始地址
         UINT64 pDriverInitialize = (UINT64)CONVERT_RVA(pKernelImage, pImageNtHeaders->OptionalHeader.AddressOfEntryPoint);
 
-        bool useIoCreateDriver = true;
-        if (useIoCreateDriver)
+        if (LoadByIoCreateDriver == loadType)
         {
             // 构造调用IoCreateDriver来创建驱动的shellcode
             // 1.shellcode大小为shellcodeSize
@@ -608,7 +599,7 @@ bool DBK_LoadMyDriver(const wchar_t* driverFileName, const wchar_t* driverName)
                 break;
             }
         }
-        else
+        else if (LoadByShellcode == loadType)
         {
             // 构造直接调用DriverEntry的shellcode
             shellcodeSize = sizeof(shellcode_JmpDriverEntry);

CECheater/MemLoadDriver.h

@@ -2,4 +2,4 @@
 #include "DBKControl.h"
 
 // ¼ÓÔØ×Ô¼ºµÄδǩÃûÇý¶¯
-bool DBK_LoadMyDriver(const wchar_t* driverFileName, const wchar_t* driverName);
+bool DBK_LoadMyDriver(LoadType loadType, const wchar_t* driverFilePath, const wchar_t* driverName);

CECheater/common.h

@@ -4,6 +4,8 @@
 #include <string>
 #include <thread>
 #include <assert.h>
+#include <iostream>
+#include <filesystem>
 
 #pragma warning(disable: 4996)
 
@@ -23,6 +25,12 @@
 #define DBK_DRIVER_NAME L"richstuffk32.sys"
 #endif
 
+enum LoadType
+{
+	LoadByShellcode,            // 当作shellcode来加载驱动，会由当前进程直接运行驱动的入口点代码
+	LoadByIoCreateDriver,       // 调用IoCreateDriver加载驱动，会创建驱动对象，并由系统进程运行驱动的入口点代码
+};
+
 std::string Format(const char* format, ...);
 std::wstring Format(const wchar_t* format, ...);
 

CECheater/dllmain.cpp

@@ -3,6 +3,61 @@
 #include "DBKControl.h"
 #include "MemLoadDriver.h"
 
+static LoadType g_LoadType;
+static WCHAR g_DriverFilePath[MAX_PATH] = { 0 };
+static WCHAR g_DriverName[100] = L"\\FileSystem\\";
+
+bool ParseCommandLine()
+{
+	int nArgs = 0;
+	LPWSTR* argList = CommandLineToArgvW(GetCommandLineW(), &nArgs);
+	if (nArgs < 3)
+	{
+		LOG("Number of command args is too few: %d", nArgs);
+        return false;
+	}
+
+    // 判断驱动文件是否存在
+	if (!std::filesystem::exists(argList[2]))
+	{
+		LOG("Parameter error, path not exist: %ws", argList[2]);
+        return false;
+	}
+    LOG("Find driver file path: %ws", g_DriverFilePath);
+
+    // 获取驱动文件绝对路径
+	std::filesystem::path driverFilePath = std::filesystem::absolute(argList[2]);
+	wcscpy(g_DriverFilePath, driverFilePath.c_str());
+
+    // 获取驱动文件名
+	std::wstring driverName = driverFilePath.stem();
+	if (driverName.length() > 90)
+	{
+		LOG("Parameter error, file name is too long: %ws", driverName.c_str());
+		return false;
+	}
+	wcscat(g_DriverName, driverName.c_str());
+
+    // 获取加载类型
+    if (0 == _wcsicmp(argList[1], L"-load_by_shellcode"))
+    {
+        g_LoadType = LoadByShellcode;
+        LOG("Parameter error, load type: load by shellcode");
+    }
+    else if (0 == _wcsicmp(argList[1], L"-load_by_driver"))
+    {
+		g_LoadType = LoadByIoCreateDriver;
+		LOG("load type: load by driver, driver name: %ws", g_DriverName);
+    }
+    else
+    {
+        LOG("Unknown load type: %ws", argList[1]);
+        return false;
+    }
+
+    return true;
+}
+
 void Worker()
 {
     // 提权
@@ -41,7 +96,7 @@ void Worker()
     LOG("init DBKDriver success");
 
     // 加载自定义驱动
-    if (!DBK_LoadMyDriver(DRIVER_TO_LOAD, DRIVER_NAME))
+    if (!DBK_LoadMyDriver(g_LoadType, g_DriverFilePath, g_DriverName))
     {
         LOG("load my driver failed");
         return;
@@ -59,6 +114,12 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReser
 
         __try
         {
+            if (!ParseCommandLine())
+            {
+                LOG("ParseCommandLine failed");
+                __leave;
+            }
+
             Worker();
         }
         __finally

README.md

@@ -15,17 +15,19 @@ https://bbs.kanxue.com/thread-277919.htm
 
 
 # 编译
-visual studio 2022 + x64 config（低版本的visual studio应该也是可以的）
+CECheater项目的编译配置为“C++17 + vs2022 + x64 config”，编译完后将生成的lua53-64.dll替换掉bin64里原来的lua53-64.dll就可以了
 
 
-# 部署
-1.如果要直接使用部署结果，bin64.7z文件夹中提供了两种不同的方式加载未签名驱动MyDriver.sys，在“bin64\READMD.md”中有具体描述，您可以选择其中一种方式后替换掉MyDriver.sys即可
+# 运行
+文件夹bin64.7z里提供了最终部署结果，需要以管理员权限运行，提供了两种不同的方式加载未签名驱动MyDriver.sys
 
-2.如果要自己编译源码，则编译完后将CECheater项目生成的lua53-64.dll替换掉bin64里原来的lua53-64.dll就可以了
+1.将MyDriver.sys映射到内存中，修复其RVA和导入表，之后由当前进程直接运行驱动的入口点代码
 
+richstuff-x86_64.exe -load_by_shellcode .\\MyDriver.sys
 
-# 运行
-以管理员权限运行bin64.7z里的richstuff-x86_64.exe，进程会导入lua53-64.dll，这个dll会加载richstuffk64.sys，之后利用richstuffk64.sys提供的功能将MyDriver.sys映射到内存中，修复其RVA和导入表，并运行该驱动
+2.将MyDriver.sys映射到内存中，修复其RVA和导入表，之后调用IoCreateDriver来加载驱动，会创建驱动对象，并由系统进程运行驱动的入口点代码
+
+richstuff-x86_64.exe -load_by_driver .\\MyDriver.sys
 
 
 # 支持平台