From a164e2c9c01dcb8ece755dede7785b756241254a Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sun, 28 Feb 2021 05:19:43 +0000 Subject: [PATCH] Update README.md --- README.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 95cb65f..5399dde 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,40 @@ HMDM is a driver mapper which uses any method to allocate kernel memory and any *** -In order to create a `drv::hmdm_ctx`, one must first declare two lambdas. One lambda for allocating executable kernel memory, and another lambda for arbitrary kernel writes. Programmers can use any vulnerabilities to facilitate these requirements. +In order to create a `drv::hmdm_ctx`, one must first declare two lambdas. One lambda for allocating executable kernel memory, and another lambda for arbitrary kernel writes. Programmers can use any vulnerabilities to facilitate these requirements. Once both lambdas are defined one can create a `drv::hmdm_ctx`. Simply pass in both lambdas at the same time with a `static initializer`. + +```cpp +drv::hmdm_ctx drv_mapper({ _kalloc, _kmemcpy }); + +// read driver off disk to be mapped... +drv::drv_buffer_t drv_buffer; +utils::open_binary_file(argv[1], drv_buffer); + +// map driver into the kernel... +const auto [drv_base, drv_entry] = drv_mapper.map_module(drv_buffer); +``` + +***NOTE:*** `drv::hmdm_ctx` does not call the drivers entry. You must do this yourself using whatever method. This is easily done with VDM and MSREXEC. + +```cpp +// calls driver entry point with MSREXEC... +// you can change the entry point params to fit your needs... +NTSTATUS result; +msrexec.exec([&result, drv_entry = drv_entry, drv_base = drv_base] + (void* krnl_base, get_system_routine_t get_kroutine) -> void +{ + using drv_entry_t = NTSTATUS(*)(std::uintptr_t); + result = reinterpret_cast(drv_entry)(drv_base); +}); +``` + +```cpp +// calls driver entry point with VDM... +// you can change the entry point params to fit your needs... +const auto entry_result = + vdm.syscall( + reinterpret_cast(drv_entry), drv_base); +``` #### VDM Example