IDontCode
/
HMDM
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Highly Modular Driver Mapper
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17 Commits
3 Branches
1 Tag
314 KiB
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a164e2c9c0'
${ noResults }
Go to file
_xeroxz a164e2c9c0
Update README.md 		3 years ago
HMDM-MSREXEC init commit 3 years ago
HMDM-VDM init commit 3 years ago
drv_example init commit 3 years ago
HMDM.sln init commit 3 years ago
README.md Update README.md 3 years ago

README.md

HMDM - Highly Modular Driver Mapper

HMDM is a driver mapper which uses any method to allocate kernel memory and any method to copy kernel memory to map unsigned code into the windows kernel. This project is based off of physmeme and is what I intended on creating originally, but was unable to. This repo contains two examples of HMDM, one with VDM (Vulnerable Driver Manipulation of drivers exposing arbitrary physical memory read and write), and the other example using MSREXEC which uses any driver that can write to arbitrary MSR's to elevate to kernel execution. Besides VDM and MSREXEC, one could use any other method of executable kernel memory allocation and arbitrary kernel writes to interface with drv::hmdm_ctx.

Getting Started

In order to create a drv::hmdm_ctx, one must first declare two lambdas. One lambda for allocating executable kernel memory, and another lambda for arbitrary kernel writes. Programmers can use any vulnerabilities to facilitate these requirements. Once both lambdas are defined one can create a drv::hmdm_ctx. Simply pass in both lambdas at the same time with a static initializer.

drv::hmdm_ctx drv_mapper({ _kalloc, _kmemcpy });

// read driver off disk to be mapped...
drv::drv_buffer_t drv_buffer;
utils::open_binary_file(argv[1], drv_buffer);

// map driver into the kernel...
const auto [drv_base, drv_entry] = drv_mapper.map_module(drv_buffer);

NOTE: drv::hmdm_ctx does not call the drivers entry. You must do this yourself using whatever method. This is easily done with VDM and MSREXEC.

// calls driver entry point with MSREXEC... 
// you can change the entry point params to fit your needs...
NTSTATUS result;
msrexec.exec([&result, drv_entry = drv_entry, drv_base = drv_base]
	(void* krnl_base, get_system_routine_t get_kroutine) -> void
{
	using drv_entry_t = NTSTATUS(*)(std::uintptr_t);
	result = reinterpret_cast<drv_entry_t>(drv_entry)(drv_base);
});

// calls driver entry point with VDM... 
// you can change the entry point params to fit your needs...
const auto entry_result = 
    vdm.syscall<NTSTATUS(*)(std::uintptr_t)>(
	    reinterpret_cast<void*>(drv_entry), drv_base);

VDM Example

drv::kalloc_t - VDM Example
vdm::vdm_ctx vdm(_read_phys, _write_phys);
drv::kalloc_t _kalloc = [&](std::size_t size) -> void*
{
	using ex_alloc_pool_t = 
		void* (*)(std::uint32_t, std::uint32_t);

	static const auto ex_alloc_pool =
		reinterpret_cast<void*>(
			utils::kmodule::get_export(
				"ntoskrnl.exe", "ExAllocatePool"));

	return vdm.syscall<ex_alloc_pool_t>(ex_alloc_pool, NULL, size);
};
drv::kmemcpy_t - VDM Example

NOTE: The memcpy being called in this example is exported from ntoskrnl.exe and not in usermode.

drv::kmemcpy_t _kmemcpy = 
	[&](void* dest, const void* src, std::size_t size) -> void*
{
	static const auto kmemcpy = 
		reinterpret_cast<void*>(
			utils::kmodule::get_export(
				"ntoskrnl.exe", "memcpy"));

	return vdm.syscall<decltype(&memcpy)>(kmemcpy, dest, src, size);
};

MSREXEC Example

drv::kalloc_t - MSREXEC Example

NOTE: When using MSREXEC be aware that vdm::msrexec_ctx::exec returns void. This requires a programmer to make a nested lambda in order to obtain a result.

vdm::msrexec_ctx msrexec(_write_msr);
drv::kalloc_t _kalloc = [&](std::size_t size) -> void*
{
	void* alloc_base;
	msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void
	{
		using ex_alloc_pool_t = 
			void* (*)(std::uint32_t, std::size_t);

		const auto ex_alloc_pool = 
			reinterpret_cast<ex_alloc_pool_t>(
				get_kroutine(krnl_base, "ExAllocatePool"));

		alloc_base = ex_alloc_pool(NULL, size);
	});
	return alloc_base;
};
drv::kmemcpy_t - MSREXEC Example

NOTE: When using MSREXEC be aware that vdm::msrexec_ctx::exec returns void. This requires a programmer to make a nested lambda in order to obtain a result.

drv::kmemcpy_t _kmemcpy = 
	[&](void* dest, const void* src, std::size_t size) -> void*
{
	void* result = nullptr;
	msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void
	{
		const auto kmemcpy = 
			reinterpret_cast<decltype(&memcpy)>(
				get_kroutine(krnl_base, "memcpy"));

		result = kmemcpy(dest, src, size);
	});
	return result;
};