search

magicsword-io / LOLDrivers

Living Off The Land Drivers
https://www.loldrivers.io/
Apache License 2.0
1.05k stars 123 forks source link

shimano32.sys/shimano64.sys #163

Open Wack0 opened 11 months ago

Wack0 commented 11 months ago

samples: https://www.virustotal.com/gui/file/e8b1a0ddc7a4404eb3c46217e07b5ed91723f44464a6ef589634aeb4fb8f5666 https://www.virustotal.com/gui/file/e3a1f0d967335c8a080a5b1e7e3a06a61f6cea39739cda3ebab11d2908713d80

Seems to be related to capcom.sys (device name is obfuscated, and is Htsysm4EFB)

Opus info says the responsible vendor is "株式会社DNPハイパーテック" so is probably related to HyperTech DNP CrackProof DRM/PE protector/anti-cheat/anti-tamper solution.

Malicious functionality is a few IOCTLs that give 32-bit read, 32-bit OR, 32-bit bitmask unset (&= ~Value) on an arbitrary (checked to be less than 0x1000) offset of current process EPROCESS object from usermode.

The functionality is gated on also providing 32-bit crypted value (custom algo), of which plaintext is the sum of current process PID and a value initialised to KUSER_SHARED_DATA::SystemTime (another IOCTL passes this value to usermode with no additional checks).

Escalating to protected process is an obvious use case. Probably other privesc is also possible if the driver is already running (not sure if attacker could craft a token object in usermode address space for example).