IDontCode
/
PSKDM
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

its not stable but git is being impossible to work with so im just

Browse Source 
pushing this shit to master and going 2 bed, fuck it!
master
_xeroxz 4 years ago
parent c9b8d80b22
commit d382cf80cc
16 changed files with 455 additions and 233 deletions
Show Stats Download Patch File Download Diff File

4
PSKDM/PSKDM.vcxproj
Unescape View File

@ -202,6 +202,7 @@
<ClCompile Include="map_driver.cpp" />
<ClCompile Include="mem_ctx\mem_ctx.cpp" />
<ClCompile Include="pe_image\pe_image.cpp" />
<ClCompile Include="set_mgr\set_mgr.cpp" />
<ClCompile Include="vdm_ctx\vdm_ctx.cpp" />
</ItemGroup>
<ItemGroup>
@ -209,13 +210,14 @@
<ClInclude Include="map_driver.hpp" />
<ClInclude Include="mem_ctx\mem_ctx.hpp" />
<ClInclude Include="pe_image\pe_image.h" />
<ClInclude Include="set_mgr\set_mgr.hpp" />
<ClInclude Include="util\hook.hpp" />
<ClInclude Include="util\loadup.hpp" />
<ClInclude Include="util\nt.hpp" />
<ClInclude Include="util\util.hpp" />
<ClInclude Include="vdm\raw_driver.hpp" />
<ClInclude Include="vdm\vdm.hpp" />
<ClInclude Include="vdm_ctx\vdm_ctx.h" />
<ClInclude Include="vdm_ctx\vdm_ctx.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">

8
PSKDM/PSKDM.vcxproj.filters
Unescape View File

@ -32,6 +32,9 @@
<ClCompile Include="mapper_ctx\mapper_ctx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="set_mgr\set_mgr.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="util\hook.hpp">
@ -64,7 +67,10 @@
<ClInclude Include="pe_image\pe_image.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="vdm_ctx\vdm_ctx.h">
<ClInclude Include="set_mgr\set_mgr.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="vdm_ctx\vdm_ctx.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>

32
PSKDM/map_driver.cpp
Unescape View File

@ -1,7 +1,8 @@
#include "map_driver.hpp"
#include "mapper_ctx/mapper_ctx.hpp"
#include "vdm_ctx/vdm_ctx.h"
#include "vdm_ctx/vdm_ctx.hpp"
#include "vdm/vdm.hpp"
#include "set_mgr/set_mgr.hpp"
namespace mapper
{
@ -21,18 +22,35 @@ namespace mapper
if (!runtime_broker_pid)
return { mapper_error::failed_to_create_proc, nullptr };
vdm::vdm_ctx v_ctx;
nasa::mem_ctx my_proc(v_ctx, GetCurrentProcessId());
nasa::mem_ctx runtime_broker(v_ctx, runtime_broker_pid);
nasa::mapper_ctx mapper(my_proc, runtime_broker);
vdm::read_phys_t _read_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{
return vdm::read_phys(addr, buffer, size);
};
const auto [drv_base, drv_entry] = mapper.map(drv_buffer);
vdm::write_phys_t _write_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{
return vdm::write_phys(addr, buffer, size);
};
vdm::vdm_ctx v_ctx(_read_phys, _write_phys);
nasa::mem_ctx my_proc(&v_ctx, GetCurrentProcessId());
nasa::mem_ctx runtime_broker(&v_ctx, runtime_broker_pid);
nasa::mapper_ctx mapper(&my_proc, &runtime_broker);
const auto result =
set_mgr::stop_setmgr(v_ctx,
set_mgr::get_setmgr_pethread(v_ctx));
if (result != STATUS_SUCCESS)
return { mapper_error::set_mgr_failure, nullptr };
const auto [drv_base, drv_entry] = mapper.map(drv_buffer);
if (!drv_base || !drv_entry)
return { mapper_error::init_failed, nullptr };
mapper.call_entry(drv_entry, entry_data);
if (!vdm::unload_drv(drv_handle, drv_key))
return { mapper_error::unload_error, nullptr };

17
PSKDM/map_driver.hpp
Unescape View File

@ -7,13 +7,14 @@ namespace mapper
{
enum class mapper_error
{
error_success = 0x000, // everything is good!
image_invalid = 0x111, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error = 0x222, // unable to load signed driver into the kernel (are you running as admin?)
unload_error = 0x333, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail = 0x444, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed = 0x555, // setting up library dependancies failed!
failed_to_create_proc = 0x777 // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
error_success, // everything is good!
image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error, // unable to load signed driver into the kernel (are you running as admin?)
unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed, // setting up library dependancies failed!
failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
set_mgr_failure // unable to stop working set manager thread... this thread can cause issues with PTM...
};
/// <summary>
@ -23,5 +24,5 @@ namespace mapper
/// <param name="image_size">size of the driver buffer</param>
/// <param name="entry_data">data to be sent to the entry point of the driver...</param>
/// <returns>status of the driver being mapped, and base address of the driver...</returns>
std::pair<mapper_error, void*> map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data);
auto map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data)->std::pair<mapper_error, void*>;
}

52
PSKDM/mapper_ctx/mapper_ctx.cpp
Unescape View File

@ -4,8 +4,8 @@ namespace nasa
{
mapper_ctx::mapper_ctx
(
nasa::mem_ctx& map_into,
nasa::mem_ctx& map_from
nasa::mem_ctx* map_into,
nasa::mem_ctx* map_from
)
:
map_into(map_into),
@ -14,7 +14,7 @@ namespace nasa
{
const auto map_into_pml4 =
reinterpret_cast<ppml4e>(
map_into.set_page(map_into.get_dirbase()));
map_into->set_page(map_into->dirbase));
// look for an empty pml4e...
for (auto idx = 0u; idx < 256; ++idx)
@ -30,18 +30,20 @@ namespace nasa
auto mapper_ctx::map(std::vector<std::uint8_t>& raw_image) -> std::pair<void*, void*>
{
const auto [drv_alloc, drv_entry_addr] = allocate_driver(raw_image);
auto [drv_ppml4e, drv_pml4e] = map_from.get_pml4e(drv_alloc);
auto [drv_ppml4e, drv_pml4e] = map_from->get_pml4e(drv_alloc);
while (!SwitchToThread());
make_kernel_access(drv_alloc);
map_from.set_pml4e(drv_ppml4e, pml4e{ NULL });
while (!SwitchToThread());
while (!map_from->set_pml4e(drv_ppml4e, pml4e{ NULL }))
continue;
drv_pml4e.nx = false;
drv_pml4e.user_supervisor = false;
map_into.write_phys(reinterpret_cast<ppml4e>(
map_into.get_dirbase()) + this->pml4_idx, drv_pml4e);
// ensure we insert the pml4e...
while (!map_into->write_phys(
reinterpret_cast<ppml4e>(
map_into->dirbase) + this->pml4_idx, drv_pml4e))
continue;
virt_addr_t new_addr = { reinterpret_cast<void*>(drv_alloc) };
new_addr.pml4_index = this->pml4_idx;
@ -50,7 +52,7 @@ namespace nasa
void mapper_ctx::call_entry(void* drv_entry, void** hook_handler) const
{
map_into.v_ctx->syscall<NTSTATUS(__fastcall*)(void**)>(drv_entry, hook_handler);
map_into->v_ctx->syscall<NTSTATUS(__fastcall*)(void**)>(drv_entry, hook_handler);
}
auto mapper_ctx::allocate_driver(std::vector<std::uint8_t>& raw_image) -> std::pair<void*, void*>
@ -60,11 +62,11 @@ namespace nasa
OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
map_from.get_pid()
map_from->pid
);
if (!process_handle)
return {};
return { {}, {} };
drv_image.fix_imports([&](const char* module_name, const char* export_name)
{
@ -87,7 +89,7 @@ namespace nasa
));
if (!drv_alloc_base)
return {};
return { {}, {} };
virt_addr_t new_addr = { reinterpret_cast<void*>(drv_alloc_base) };
new_addr.pml4_index = this->pml4_idx;
@ -110,15 +112,23 @@ namespace nasa
return
{
reinterpret_cast<void*>(drv_alloc_base),
reinterpret_cast<void*>(drv_image.entry_point() + reinterpret_cast<std::uintptr_t>(new_addr.value))
reinterpret_cast<void*>(drv_image.entry_point() +
reinterpret_cast<std::uintptr_t>(new_addr.value))
};
}
void mapper_ctx::make_kernel_access(void* drv_base)
{
const auto [ppdpte, pdpte] = map_from.get_pdpte(drv_base);
auto ppdpte_phys = reinterpret_cast<void*>((reinterpret_cast<std::uint64_t>(ppdpte) >> 12) << 12); // 0 the last 12 bits...
auto pdpt_mapping = reinterpret_cast<::ppdpte>(map_from.set_page(ppdpte_phys));
const auto [ppdpte, pdpte] =
map_from->get_pdpte(drv_base);
auto ppdpte_phys =
reinterpret_cast<void*>((
reinterpret_cast<std::uint64_t>(ppdpte) >> 12) << 12); // 0 the last 12 bits...
auto pdpt_mapping =
reinterpret_cast<::ppdpte>(
map_from->set_page(ppdpte_phys));
// set pdptes to CPL0 access only and executable...
for (auto pdpt_idx = 0u; pdpt_idx < 512; ++pdpt_idx)
@ -129,7 +139,7 @@ namespace nasa
pdpt_mapping[pdpt_idx].nx = false;
auto pd_mapping = reinterpret_cast<ppde>(
map_from.set_page(reinterpret_cast<void*>(
map_from->set_page(reinterpret_cast<void*>(
pdpt_mapping[pdpt_idx].pfn << 12)));
// set pdes to CPL0 access only and executable...
@ -141,7 +151,7 @@ namespace nasa
pd_mapping[pd_idx].nx = false;
auto pt_mapping = reinterpret_cast<ppte>(
map_from.set_page(reinterpret_cast<void*>(
map_from->set_page(reinterpret_cast<void*>(
pd_mapping[pd_idx].pfn << 12)));
// set ptes to CPL0 access only and executable...
@ -156,14 +166,14 @@ namespace nasa
// set page back to pd...
pd_mapping = reinterpret_cast<ppde>(
map_from.set_page(reinterpret_cast<void*>(
map_from->set_page(reinterpret_cast<void*>(
pdpt_mapping[pdpt_idx].pfn << 12)));
}
}
// set page back to pdpt...
pdpt_mapping = reinterpret_cast<::ppdpte>(
map_from.set_page(ppdpte_phys));
map_from->set_page(ppdpte_phys));
}
}
}

8
PSKDM/mapper_ctx/mapper_ctx.hpp
Unescape View File

@ -6,14 +6,14 @@ namespace nasa
class mapper_ctx
{
public:
explicit mapper_ctx(nasa::mem_ctx& map_into, nasa::mem_ctx& map_from);
auto map(std::vector<std::uint8_t>& raw_image)->std::pair<void*, void*>;
explicit mapper_ctx(nasa::mem_ctx* map_into, nasa::mem_ctx* map_from);
auto map(std::vector<std::uint8_t>& raw_image) -> std::pair<void*, void*>;
void call_entry(void* drv_entry, void** hook_handler) const;
private:
std::uint16_t pml4_idx;
auto allocate_driver(std::vector<std::uint8_t>& raw_image)->std::pair<void*, void*>;
auto allocate_driver(std::vector<std::uint8_t>& raw_image) -> std::pair<void*, void*>;
void make_kernel_access(void* drv_base);
nasa::mem_ctx map_into, map_from;
nasa::mem_ctx* map_into, *map_from;
};
}

241
PSKDM/mem_ctx/mem_ctx.cpp
Unescape View File

@ -2,20 +2,25 @@
namespace nasa
{
mem_ctx::mem_ctx(vdm::vdm_ctx& v_ctx, DWORD pid)
mem_ctx::mem_ctx(vdm::vdm_ctx* v_ctx, std::uint32_t pid)
:
v_ctx(&v_ctx),
dirbase(get_dirbase(v_ctx, pid)),
v_ctx(v_ctx),
dirbase(get_dirbase(*v_ctx, pid)),
pid(pid)
{
// find an empty pml4e inside of current processes pml4...
const auto current_pml4 =
v_ctx.get_virtual(reinterpret_cast<std::uintptr_t>(
get_dirbase(v_ctx, GetCurrentProcessId())));
v_ctx->get_virtual(reinterpret_cast<std::uintptr_t>(
get_dirbase(*v_ctx, GetCurrentProcessId())));
for (auto idx = 100u; idx > 0u; --idx)
if (!v_ctx.rkm<pml4e>(current_pml4 + (idx * sizeof pml4e)).value)
{
if (!v_ctx->rkm<pml4e>(current_pml4 + (idx * sizeof pml4e)).present)
{
this->pml4e_index = idx;
break;
}
}
// allocate a pdpt
this->new_pdpt.second =
@ -31,13 +36,17 @@ namespace nasa
// get page table entries for new pdpt
pt_entries new_pdpt_entries;
hyperspace_entries(new_pdpt_entries, new_pdpt.second);
this->new_pdpt.first = reinterpret_cast<ppdpte>(new_pdpt_entries.pt.second.pfn << 12);
this->new_pdpt.first =
reinterpret_cast<ppdpte>(
new_pdpt_entries.pt.second.pfn << 12);
// make a new pml4e that points to our new pdpt.
new_pdpt_entries.pml4.second.pfn = new_pdpt_entries.pt.second.pfn;
// set the pml4e to point to the new pdpt
set_pml4e(reinterpret_cast<::ppml4e>(get_dirbase()) + this->pml4e_index, new_pdpt_entries.pml4.second, true);
set_pml4e(reinterpret_cast<::ppml4e>(this->dirbase) +
this->pml4e_index, new_pdpt_entries.pml4.second, true);
// make a new pd
this->new_pd.second =
@ -54,7 +63,10 @@ namespace nasa
// get paging table entries for pd
pt_entries new_pd_entries;
hyperspace_entries(new_pd_entries, this->new_pd.second);
this->new_pd.first = reinterpret_cast<ppde>(new_pd_entries.pt.second.pfn << 12);
this->new_pd.first =
reinterpret_cast<ppde>(
new_pd_entries.pt.second.pfn << 12);
// make a new pt
this->new_pt.second =
@ -71,42 +83,42 @@ namespace nasa
// get paging table entries for pt
pt_entries new_pt_entries;
hyperspace_entries(new_pt_entries, this->new_pt.second);
this->new_pt.first = reinterpret_cast<ppte>(new_pt_entries.pt.second.pfn << 12);
this->new_pt.first =
reinterpret_cast<ppte>(
new_pt_entries.pt.second.pfn << 12);
}
mem_ctx::~mem_ctx()
{
set_pml4e(reinterpret_cast<::ppml4e>(get_dirbase()) + this->pml4e_index, pml4e{NULL});
while (!SwitchToThread());
const auto pml4 =
reinterpret_cast<ppml4e>(
set_page(dirbase))[pml4e_index] = pml4e{ NULL };
}
void* mem_ctx::set_page(void* addr)
{
// table entry change.
++pte_index;
if (pte_index > 511)
{
++pte_index;
if (pte_index >= 511)
{
++pde_index;
pte_index = 0;
}
if (pde_index >= 511)
{
++pdpte_index;
pde_index = 0;
}
++pde_index;
pte_index = 0;
}
if (pdpte_index >= 511)
pdpte_index = 0;
if (pde_index > 511)
{
++pdpte_index;
pde_index = 0;
}
if (pdpte_index > 511)
pdpte_index = 0;
pdpte new_pdpte = { NULL };
new_pdpte.present = true;
new_pdpte.rw = true;
new_pdpte.pfn = reinterpret_cast<std::uintptr_t>(new_pd.first) >> 12;
new_pdpte.user_supervisor = true;
new_pdpte.accessed = true;
// set pdpte entry
*reinterpret_cast<pdpte*>(new_pdpt.second + pdpte_index) = new_pdpte;
@ -116,7 +128,6 @@ namespace nasa
new_pde.rw = true;
new_pde.pfn = reinterpret_cast<std::uintptr_t>(new_pt.first) >> 12;
new_pde.user_supervisor = true;
new_pde.accessed = true;
// set pde entry
*reinterpret_cast<pde*>(new_pd.second + pde_index) = new_pde;
@ -126,7 +137,6 @@ namespace nasa
new_pte.rw = true;
new_pte.pfn = reinterpret_cast<std::uintptr_t>(addr) >> 12;
new_pte.user_supervisor = true;
new_pte.accessed = true;
// set pte entry
*reinterpret_cast<pte*>(new_pt.second + pte_index) = new_pte;
@ -145,18 +155,39 @@ namespace nasa
new_addr.pd_index = this->pde_index;
new_addr.pt_index = this->pte_index;
new_addr.offset = this->page_offset;
// handle TLB issues, the TLB might need to be flushed for this entry...
__try
{
*(std::uint8_t*)new_addr.value = *(std::uint8_t*)new_addr.value;
return new_addr.value;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
// try again to access the page...
__try
{
*(std::uint8_t*)new_addr.value = *(std::uint8_t*)new_addr.value;
return new_addr.value;
}
// try one last time by yeilding execution...
__except (EXCEPTION_EXECUTE_HANDLER)
{
while (!SwitchToThread())
continue;
}
}
return new_addr.value;
}
void* mem_ctx::get_dirbase(vdm::vdm_ctx& v_ctx, DWORD pid)
{
const auto peproc =
reinterpret_cast<std::uint64_t>(v_ctx.get_peprocess(pid));
reinterpret_cast<std::uint64_t>(
v_ctx.get_peprocess(pid));
const auto dirbase =
v_ctx.rkm<pte>(peproc + 0x28);
return reinterpret_cast<void*>(dirbase.pfn << 12);
return reinterpret_cast<void*>(
v_ctx.rkm<pte>(peproc + 0x28).pfn << 12);
}
bool mem_ctx::hyperspace_entries(pt_entries& entries, void* addr)
@ -201,95 +232,106 @@ namespace nasa
return true;
}
std::pair<ppte, pte> mem_ctx::get_pte(void* addr, bool use_hyperspace)
auto mem_ctx::get_pte(void* addr, bool use_hyperspace) -> std::pair<ppte, pte>
{
if (!dirbase || !addr)
return {};
return { {}, {} };
pt_entries entries;
if ((use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)))
return { entries.pt.first, entries.pt.second };
return {};
return { {}, {} };
}
void mem_ctx::set_pte(void* addr, const ::pte& pte, bool use_hyperspace)
bool mem_ctx::set_pte(void* addr, const ::pte& pte, bool use_hyperspace)
{
if (!dirbase || !addr)
return;
return false;
if (use_hyperspace)
v_ctx->wkm(v_ctx->get_virtual(reinterpret_cast<std::uintptr_t>(addr)), pte);
else
write_phys(addr, pte);
return v_ctx->wkm(
v_ctx->get_virtual(
reinterpret_cast<std::uintptr_t>(addr)), pte);
return write_phys(addr, pte);
}
std::pair<ppde, pde> mem_ctx::get_pde(void* addr, bool use_hyperspace)
auto mem_ctx::get_pde(void* addr, bool use_hyperspace) -> std::pair<ppde, pde>
{
if (!dirbase || !addr)
return {};
return { {}, {} };
pt_entries entries;
if ((use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)))
return { entries.pd.first, entries.pd.second };
return {};
return { {}, {} };
}
void mem_ctx::set_pde(void* addr, const ::pde& pde, bool use_hyperspace)
bool mem_ctx::set_pde(void* addr, const ::pde& pde, bool use_hyperspace)
{
if (!this->dirbase || !addr)
return;
if (!dirbase || !addr)
return false;
if (use_hyperspace)
v_ctx->wkm(v_ctx->get_virtual(reinterpret_cast<std::uintptr_t>(addr)), pde);
else
write_phys(addr, pde);
return v_ctx->wkm(
v_ctx->get_virtual(
reinterpret_cast<std::uintptr_t>(addr)), pde);
return write_phys(addr, pde);
}
std::pair<ppdpte, pdpte> mem_ctx::get_pdpte(void* addr, bool use_hyperspace)
auto mem_ctx::get_pdpte(void* addr, bool use_hyperspace) -> std::pair<ppdpte, pdpte>
{
if (!dirbase || !addr)
return {};
return { {}, {} };
pt_entries entries;
if ((use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)))
return { entries.pdpt.first, entries.pdpt.second };
return {};
return { {}, {} };
}
void mem_ctx::set_pdpte(void* addr, const ::pdpte& pdpte, bool use_hyperspace)
bool mem_ctx::set_pdpte(void* addr, const ::pdpte& pdpte, bool use_hyperspace)
{
if (!this->dirbase || !addr)
return;
if (!dirbase || !addr)
return false;
if (use_hyperspace)
v_ctx->wkm(v_ctx->get_virtual(reinterpret_cast<std::uintptr_t>(addr)), pdpte);
else
write_phys(addr, pdpte);
return v_ctx->wkm(
v_ctx->get_virtual(
reinterpret_cast<std::uintptr_t>(addr)), pdpte);
return write_phys(addr, pdpte);
}
std::pair<ppml4e, pml4e> mem_ctx::get_pml4e(void* addr, bool use_hyperspace)
auto mem_ctx::get_pml4e(void* addr, bool use_hyperspace) -> std::pair<ppml4e, pml4e>
{
if (!this->dirbase || !addr)
return {};
if (!dirbase || !addr)
return { {}, {} };
pt_entries entries;
if ((use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)))
return { entries.pml4.first, entries.pml4.second };
return {};
return { {}, {} };
}
void mem_ctx::set_pml4e(void* addr, const ::pml4e& pml4e, bool use_hyperspace)
bool mem_ctx::set_pml4e(void* addr, const ::pml4e& pml4e, bool use_hyperspace)
{
if (!this->dirbase || !addr)
return;
if (!dirbase || !addr)
return false;
if (use_hyperspace)
v_ctx->wkm(v_ctx->get_virtual(reinterpret_cast<std::uintptr_t>(addr)), pml4e);
else
write_phys(addr, pml4e);
return v_ctx->wkm(
v_ctx->get_virtual(
reinterpret_cast<std::uintptr_t>(addr)), pml4e);
return write_phys(addr, pml4e);
}
std::pair<void*, void*> mem_ctx::read_virtual(void* buffer, void* addr, std::size_t size)
auto mem_ctx::read_virtual(void* buffer, void* addr, std::size_t size) -> std::pair<void*, void*>
{
if (!buffer || !addr || !size || !dirbase)
return {};
@ -331,7 +373,7 @@ namespace nasa
}
}
std::pair<void*, void*> mem_ctx::write_virtual(void* buffer, void* addr, std::size_t size)
auto mem_ctx::write_virtual(void* buffer, void* addr, std::size_t size) -> std::pair<void*, void*>
{
if (!buffer || !addr || !size || !dirbase)
return {};
@ -373,10 +415,10 @@ namespace nasa
}
}
void mem_ctx::read_phys(void* buffer, void* addr, std::size_t size)
bool mem_ctx::read_phys(void* buffer, void* addr, std::size_t size)
{
if (!buffer || !addr || !size)
return;
return false;
const auto temp_page = set_page(addr);
__try
@ -384,13 +426,16 @@ namespace nasa
memcpy(buffer, temp_page, size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{}
{
return false;
}
return true;
}
void mem_ctx::write_phys(void* buffer, void* addr, std::size_t size)
bool mem_ctx::write_phys(void* buffer, void* addr, std::size_t size)
{
if (!buffer || !addr || !size)
return;
return false;
const auto temp_page = set_page(addr);
__try
@ -398,12 +443,15 @@ namespace nasa
memcpy(temp_page, buffer, size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{}
{
return false;
}
return true;
}
void* mem_ctx::virt_to_phys(pt_entries& entries, void* addr)
{
if (!addr || !this->dirbase)
if (!addr || !dirbase)
return {};
const virt_addr_t virt_addr{ addr };
@ -447,37 +495,4 @@ namespace nasa
return reinterpret_cast<void*>((pte.pfn << 12) + virt_addr.offset);
}
unsigned mem_ctx::get_pid() const
{
return pid;
}
void* mem_ctx::get_dirbase() const
{
return dirbase;
}
pml4e mem_ctx::operator[](std::uint16_t pml4_idx)
{
return read_phys<::pml4e>(reinterpret_cast<ppml4e>(this->dirbase) + pml4_idx);
}
pdpte mem_ctx::operator[](const std::pair<std::uint16_t, std::uint16_t>& entry_idx)
{
const auto pml4_entry = this->operator[](entry_idx.first);
return read_phys<::pdpte>(reinterpret_cast<ppdpte>(pml4_entry.pfn << 12) + entry_idx.second);
}
pde mem_ctx::operator[](const std::tuple<std::uint16_t, std::uint16_t, std::uint16_t>& entry_idx)
{
const auto pdpt_entry = this->operator[]({ std::get<0>(entry_idx), std::get<1>(entry_idx) });
return read_phys<::pde>(reinterpret_cast<ppde>(pdpt_entry.pfn << 12) + std::get<2>(entry_idx));
}
pte mem_ctx::operator[](const std::tuple<std::uint16_t, std::uint16_t, std::uint16_t, std::uint16_t>& entry_idx)
{
const auto pd_entry = this->operator[]({ std::get<0>(entry_idx), std::get<1>(entry_idx), std::get<2>(entry_idx) });
return read_phys<::pte>(reinterpret_cast<ppte>(pd_entry.pfn << 12) + std::get<3>(entry_idx));
}
}

50
PSKDM/mem_ctx/mem_ctx.hpp
Unescape View File

@ -1,36 +1,33 @@
#pragma once
#include "../util/nt.hpp"
#include "../vdm_ctx/vdm_ctx.h"
#include "../vdm_ctx/vdm_ctx.hpp"
namespace nasa
{
class mem_ctx
{
friend class mapper_ctx;
public:
explicit mem_ctx(vdm::vdm_ctx& v_ctx, DWORD pid = GetCurrentProcessId());
explicit mem_ctx(vdm::vdm_ctx* v_ctx, std::uint32_t pid = GetCurrentProcessId());
~mem_ctx();
std::pair<ppte, pte> get_pte(void* addr, bool use_hyperspace = false);
void set_pte(void* addr, const ::pte& pte, bool use_hyperspace = false);
auto get_pte(void* addr, bool use_hyperspace = false) -> std::pair<ppte, pte>;
bool set_pte(void* addr, const ::pte& pte, bool use_hyperspace = false);
std::pair<ppde, pde> get_pde(void* addr, bool use_hyperspace = false);
void set_pde(void* addr, const ::pde& pde, bool use_hyperspace = false);
auto get_pde(void* addr, bool use_hyperspace = false) -> std::pair<ppde, pde>;
bool set_pde(void* addr, const ::pde& pde, bool use_hyperspace = false);
std::pair<ppdpte, pdpte> get_pdpte(void* addr, bool use_hyperspace = false);
void set_pdpte(void* addr, const ::pdpte& pdpte, bool use_hyperspace = false);
auto get_pdpte(void* addr, bool use_hyperspace = false) -> std::pair<ppdpte, pdpte>;
bool set_pdpte(void* addr, const ::pdpte& pdpte, bool use_hyperspace = false);
std::pair<ppml4e, pml4e> get_pml4e(void* addr, bool use_hyperspace = false);
void set_pml4e(void* addr, const ::pml4e& pml4e, bool use_hyperspace = false);
void* get_dirbase() const;
auto get_pml4e(void* addr, bool use_hyperspace = false) -> std::pair<ppml4e, pml4e>;
bool set_pml4e(void* addr, const ::pml4e& pml4e, bool use_hyperspace = false);
static void* get_dirbase(vdm::vdm_ctx& v_ctx, DWORD pid);
void read_phys(void* buffer, void* addr, std::size_t size);
void write_phys(void* buffer, void* addr, std::size_t size);
bool read_phys(void* buffer, void* addr, std::size_t size);
bool write_phys(void* buffer, void* addr, std::size_t size);
template <class T>
T read_phys(void* addr)
__forceinline T read_phys(void* addr)
{
T buffer;
read_phys((void*)&buffer, addr, sizeof(T));
@ -38,13 +35,13 @@ namespace nasa
}
template <class T>
void write_phys(void* addr, const T& data)
__forceinline bool write_phys(void* addr, const T& data)
{
write_phys((void*)&data, addr, sizeof(T));
return write_phys((void*)&data, addr, sizeof(T));
}
std::pair<void*, void*> read_virtual(void* buffer, void* addr, std::size_t size);
std::pair<void*, void*> write_virtual(void* buffer, void* addr, std::size_t size);
auto read_virtual(void* buffer, void* addr, std::size_t size) -> std::pair<void*, void*>;
auto write_virtual(void* buffer, void* addr, std::size_t size) -> std::pair<void*, void*>;
template <class T>
__forceinline T read_virtual(void* addr)
@ -61,19 +58,15 @@ namespace nasa
}
void* virt_to_phys(pt_entries& entries, void* addr);
bool hyperspace_entries(pt_entries& entries, void* addr);
void* set_page(void* addr);
void* get_page() const;
unsigned get_pid() const;
pml4e operator[](std::uint16_t pml4_idx);
pdpte operator[](const std::pair<std::uint16_t, std::uint16_t>& entry_idx);
pde operator[](const std::tuple<std::uint16_t, std::uint16_t, std::uint16_t>& entry_idx);
pte operator[](const std::tuple<std::uint16_t, std::uint16_t, std::uint16_t, std::uint16_t>& entry_idx);
private:
bool hyperspace_entries(pt_entries& entries, void* addr);
unsigned pid;
void* dirbase;
vdm::vdm_ctx* v_ctx;
private:
std::uint16_t pml4e_index,
pdpte_index,
pde_index,
@ -83,6 +76,5 @@ namespace nasa
std::pair<ppdpte, ppdpte> new_pdpt;
std::pair<ppde,ppde> new_pd;
std::pair<ppte, ppte> new_pt;
unsigned pid;
};
}

77
PSKDM/set_mgr/set_mgr.cpp
Unescape View File

@ -0,0 +1,77 @@
#include "set_mgr.hpp"
namespace set_mgr
{
auto get_setmgr_pethread(vdm::vdm_ctx& v_ctx)->PETHREAD
{
ULONG return_len = 0u;
std::size_t alloc_size = 0x1000u;
auto process_info = reinterpret_cast<SYSTEM_PROCESS_INFORMATION*>(malloc(alloc_size));
while (NtQuerySystemInformation
(
SystemProcessInformation,
process_info,
alloc_size,
&return_len
) == STATUS_INFO_LENGTH_MISMATCH)
process_info = reinterpret_cast<SYSTEM_PROCESS_INFORMATION*>(
realloc(process_info, alloc_size += 0x1000));
const auto og_ptr = process_info;
while (process_info && process_info->UniqueProcessId != (HANDLE)4)
process_info = reinterpret_cast<SYSTEM_PROCESS_INFORMATION*>(
reinterpret_cast<std::uintptr_t>(process_info) + process_info->NextEntryOffset);
auto thread_info = reinterpret_cast<SYSTEM_THREAD_INFORMATION*>(
reinterpret_cast<std::uintptr_t>(process_info) + sizeof SYSTEM_PROCESS_INFORMATION);
static const auto ntoskrnl_base =
util::get_kmodule_base("ntoskrnl.exe");
const auto [ke_balance_um, ke_balance_rva] =
util::memory::sig_scan(
KE_BALANCE_SIG, KE_BALANCE_MASK);
auto rip_rva = *reinterpret_cast<std::uint32_t*>(ke_balance_um + 19);
const auto ke_balance_set = ntoskrnl_base + ke_balance_rva + 23 + rip_rva;
const auto [suspend_in_um, suspend_rva] =
util::memory::sig_scan(SUSPEND_THREAD_SIG, SUSPEND_THREAD_MASK);
rip_rva = *reinterpret_cast<std::uint32_t*>(suspend_in_um + 1);
const auto ps_suspend_thread = reinterpret_cast<void*>(ntoskrnl_base + rip_rva + 5 + suspend_rva);
static const auto lookup_pethread =
util::get_kmodule_export("ntoskrnl.exe", "PsLookupThreadByThreadId");
for (auto idx = 0u; idx < process_info->NumberOfThreads; ++idx)
{
if (thread_info[idx].StartAddress == reinterpret_cast<void*>(ke_balance_set))
{
PETHREAD pethread;
auto result = v_ctx.syscall<PsLookupThreadByThreadId>(
lookup_pethread, thread_info[idx].ClientId.UniqueThread, &pethread);
free(og_ptr);
return pethread;
}
}
free(og_ptr);
return {};
}
auto stop_setmgr(vdm::vdm_ctx& v_ctx, PETHREAD pethread) -> NTSTATUS
{
static const auto ntoskrnl_base =
util::get_kmodule_base("ntoskrnl.exe");
const auto [suspend_in_um, suspend_rva] =
util::memory::sig_scan(SUSPEND_THREAD_SIG, SUSPEND_THREAD_MASK);
const auto rip_rva = *reinterpret_cast<std::uint32_t*>(suspend_in_um + 1);
const auto ps_suspend_thread = reinterpret_cast<void*>(ntoskrnl_base + rip_rva + 5 + suspend_rva);
return v_ctx.syscall<PsSuspendThread>(ps_suspend_thread, pethread, nullptr);
}
}

18
PSKDM/set_mgr/set_mgr.hpp
Unescape View File

@ -0,0 +1,18 @@
#pragma once
#include "../vdm_ctx/vdm_ctx.hpp"
using PETHREAD = PVOID;
using PsSuspendThread = NTSTATUS(*)(PETHREAD, PULONG);
using PsLookupThreadByThreadId = NTSTATUS(*)(HANDLE, PETHREAD*);
#define KE_BALANCE_SIG "\x65\x48\x8B\x04\x25\x00\x00\x00\x00\x48\x8B\x88\x00\x00\x00\x00\x48\x8D\x05"
#define KE_BALANCE_MASK "xxxxx????xxx????xxx"
#define SUSPEND_THREAD_SIG "\xE8\x00\x00\x00\x00\x8B\xF8\xBA\x50\x73\x53\x75"
#define SUSPEND_THREAD_MASK "x????xxxxxxx"
namespace set_mgr
{
auto get_setmgr_pethread(vdm::vdm_ctx& v_ctx)->PETHREAD;
auto stop_setmgr(vdm::vdm_ctx& v_ctx, PETHREAD pethread)->NTSTATUS;
}

50
PSKDM/util/util.hpp
Unescape View File

@ -319,4 +319,54 @@ namespace util
}
return NULL;
}
namespace memory
{
template<std::size_t pattern_length>
__forceinline auto sig_scan(const char(&signature)[pattern_length], const char(&mask)[pattern_length]) -> std::pair<std::uintptr_t, std::uint32_t>
{
static const auto ntoskrnl_module =
LoadLibraryEx(
"ntoskrnl.exe",
NULL,
DONT_RESOLVE_DLL_REFERENCES
);
static const auto p_idh = reinterpret_cast<PIMAGE_DOS_HEADER>(ntoskrnl_module);
if (p_idh->e_magic != IMAGE_DOS_SIGNATURE)
return { {}, {} };
static const auto p_inh = reinterpret_cast<PIMAGE_NT_HEADERS>((LPBYTE)ntoskrnl_module + p_idh->e_lfanew);
if (p_inh->Signature != IMAGE_NT_SIGNATURE)
return { {}, {} };
const auto pattern_view =
std::string_view
{
reinterpret_cast<char*>(ntoskrnl_module),
p_inh->OptionalHeader.SizeOfImage
};
std::array<std::pair<char, char>, pattern_length - 1> pattern{};
for (std::size_t index = 0; index < pattern_length - 1; index++)
pattern[index] = { signature[index], mask[index] };
auto resultant_address = std::search
(
pattern_view.cbegin(),
pattern_view.cend(),
pattern.cbegin(),
pattern.cend(),
[](char left, std::pair<char, char> right) -> bool {
return (right.second == '?' || left == right.first);
});
const auto found_address =
resultant_address == pattern_view.cend() ? 0 :
reinterpret_cast<std::uintptr_t>(resultant_address.operator->());
const auto rva = found_address - reinterpret_cast<std::uintptr_t>(ntoskrnl_module);
return { found_address, rva };
}
}
}

48
PSKDM/vdm_ctx/vdm_ctx.cpp
Unescape View File

@ -1,10 +1,13 @@
#include "vdm_ctx.h"
#include "vdm_ctx.hpp"
namespace vdm
{
vdm_ctx::vdm_ctx()
vdm_ctx::vdm_ctx(read_phys_t& read_func, write_phys_t& write_func)
:
read_phys(read_func),
write_phys(write_func)
{
// if we already found the syscall's physical page...
// already found the syscall's physical page...
if (vdm::syscall_address.load())
return;
@ -34,9 +37,37 @@ namespace vdm
search_thread.join();
}
void vdm_ctx::set_read(read_phys_t& read_func)
{
this->read_phys = read_func;
}
void vdm_ctx::set_write(write_phys_t& write_func)
{
this->write_phys = write_func;
}
bool vdm_ctx::rkm(void* dst, void* src, std::size_t size)
{
static const auto ntoskrnl_memcpy =
util::get_kmodule_export("ntoskrnl.exe", "memcpy");
return this->syscall<decltype(&memcpy)>(
ntoskrnl_memcpy, dst, src, size);
}
bool vdm_ctx::wkm(void* dst, void* src, std::size_t size)
{
static const auto ntoskrnl_memcpy =
util::get_kmodule_export("ntoskrnl.exe", "memcpy");
return this->syscall<decltype(&memcpy)>(
ntoskrnl_memcpy, dst, src, size);
}
void vdm_ctx::locate_syscall(std::uintptr_t address, std::uintptr_t length) const
{
const auto page_data =
const auto page_data =
reinterpret_cast<std::uint8_t*>(
VirtualAlloc(
nullptr,
@ -49,7 +80,7 @@ namespace vdm
if (vdm::syscall_address.load())
break;
if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
if (!read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
continue;
// check the first 32 bytes of the syscall, if its the same, test that its the correct
@ -60,7 +91,6 @@ namespace vdm
reinterpret_cast<void*>(
address + page + nt_page_offset));
}
VirtualFree(page_data, PAGE_4KB, MEM_DECOMMIT);
}
@ -81,11 +111,11 @@ namespace vdm
std::uint8_t orig_bytes[sizeof shellcode];
// save original bytes and install shellcode...
vdm::read_phys(syscall_addr, orig_bytes, sizeof orig_bytes);
vdm::write_phys(syscall_addr, shellcode, sizeof shellcode);
read_phys(syscall_addr, orig_bytes, sizeof orig_bytes);
write_phys(syscall_addr, shellcode, sizeof shellcode);
auto result = reinterpret_cast<NTSTATUS(__fastcall*)(void)>(proc)();
vdm::write_phys(syscall_addr, orig_bytes, sizeof orig_bytes);
write_phys(syscall_addr, orig_bytes, sizeof orig_bytes);
syscall_mutex.unlock();
return result == STATUS_SUCCESS;
}

62
PSKDM/vdm_ctx/vdm_ctx.h → PSKDM/vdm_ctx/vdm_ctx.hpp
Unescape View File

@ -5,28 +5,35 @@
#include <thread>
#include <atomic>
#include <mutex>
#include <functional>
#include "../vdm/vdm.hpp"
namespace vdm
{
// change this to whatever you want :^)
constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
inline std::atomic<bool> is_page_found = false;
inline std::atomic<void*> syscall_address = nullptr;
inline std::uint16_t nt_page_offset;
inline std::uint32_t nt_rva;
inline std::uint8_t* ntoskrnl;
using read_phys_t = std::function<decltype(vdm::read_phys)>;
using write_phys_t = std::function<decltype(vdm::write_phys)>;
class vdm_ctx
{
public:
vdm_ctx();
explicit vdm_ctx(read_phys_t& read_func, write_phys_t& write_func);
void set_read(read_phys_t& read_func);
void set_write(write_phys_t& write_func);
bool rkm(void* dst, void* src, std::size_t size);
bool wkm(void* dst, void* src, std::size_t size);
template <class T, class ... Ts>
__forceinline std::invoke_result_t<T, Ts...> syscall(void* addr, Ts ... args) const
{
static const auto proc =
static const auto proc =
GetProcAddress(
LoadLibraryA(syscall_hook.second),
syscall_hook.first
@ -46,12 +53,12 @@ namespace vdm
std::uint8_t orig_bytes[sizeof jmp_code];
*reinterpret_cast<void**>(jmp_code + 6) = addr;
vdm::read_phys(vdm::syscall_address.load(), orig_bytes, sizeof orig_bytes);
read_phys(vdm::syscall_address.load(), orig_bytes, sizeof orig_bytes);
// execute hook...
vdm::write_phys(vdm::syscall_address.load(), jmp_code, sizeof jmp_code);
write_phys(vdm::syscall_address.load(), jmp_code, sizeof jmp_code);
auto result = reinterpret_cast<T>(proc)(args ...);
vdm::write_phys(vdm::syscall_address.load(), orig_bytes, sizeof orig_bytes);
write_phys(vdm::syscall_address.load(), orig_bytes, sizeof orig_bytes);
syscall_mutex.unlock();
return result;
@ -60,35 +67,15 @@ namespace vdm
template <class T>
__forceinline auto rkm(std::uintptr_t addr) -> T
{
static const auto ntoskrnl_memcpy =
util::get_kmodule_export("ntoskrnl.exe", "memcpy");
T buffer;
this->syscall<decltype(&memcpy)>(
ntoskrnl_memcpy, &buffer, (void*)addr, sizeof T);
rkm((void*)&buffer, (void*)addr, sizeof T);
return buffer;
}
template <class T>
__forceinline void wkm(std::uintptr_t addr, const T& value)
__forceinline auto wkm(std::uintptr_t addr, const T& value) -> bool
{
static const auto ntoskrnl_memcpy =
util::get_kmodule_export("ntoskrnl.exe", "memcpy");
this->syscall<decltype(&memcpy)>(
ntoskrnl_memcpy, (void*)addr, &value, sizeof T);
}
__forceinline auto get_virtual(std::uintptr_t addr) -> std::uintptr_t
{
static const auto ntoskrnl_get_virtual =
util::get_kmodule_export(
"ntoskrnl.exe",
"MmGetVirtualForPhysical");
return this->syscall<MmGetVirtualForPhysical>(
ntoskrnl_get_virtual, addr);
return wkm((void*)addr, (void*)&value, sizeof T);
}
__forceinline auto get_peprocess(std::uint32_t pid) -> PEPROCESS
@ -106,8 +93,23 @@ namespace vdm
);
return peproc;
}
__forceinline auto get_virtual(std::uintptr_t addr) -> std::uintptr_t
{
static const auto ntoskrnl_get_virtual =
util::get_kmodule_export(
"ntoskrnl.exe",
"MmGetVirtualForPhysical");
return this->syscall<MmGetVirtualForPhysical>(
ntoskrnl_get_virtual, addr);
}
private:
void locate_syscall(std::uintptr_t begin, std::uintptr_t end) const;
bool valid_syscall(void* syscall_addr) const;
read_phys_t read_phys;
write_phys_t write_phys;
};
}

BIN
um-example/PSKDM.lib
View File

Binary file not shown.

4
um-example/main.cpp
Unescape View File

@ -20,10 +20,10 @@ int __cdecl main(int argc, char** argv)
(
driver_data.data(),
driver_data.size(),
nullptr
nullptr // you can pass your structure here...
);
std::printf("[+] driver mapping result -> 0x%x\n", result);
std::printf("[+] driver mapping result -> 0x%x (0 == STATUS_SUCCESS)\n", result);
std::printf("[+] driver base address (usermode) -> 0x%p\n", driver_base);
std::getchar();
}

17
um-example/map_driver.hpp
Unescape View File

@ -7,13 +7,14 @@ namespace mapper
{
enum class mapper_error
{
error_success = 0x000, // everything is good!
image_invalid = 0x111, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error = 0x222, // unable to load signed driver into the kernel (are you running as admin?)
unload_error = 0x333, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail = 0x444, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed = 0x555, // setting up library dependancies failed!
failed_to_create_proc = 0x777 // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
error_success, // everything is good!
image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error, // unable to load signed driver into the kernel (are you running as admin?)
unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed, // setting up library dependancies failed!
failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
set_mgr_failure // unable to stop working set manager thread... this thread can cause issues with PTM...
};
/// <summary>
@ -23,5 +24,5 @@ namespace mapper
/// <param name="image_size">size of the driver buffer</param>
/// <param name="entry_data">data to be sent to the entry point of the driver...</param>
/// <returns>status of the driver being mapped, and base address of the driver...</returns>
std::pair<mapper_error, void*> map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data);
auto map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data) -> std::pair<mapper_error, void*>;
}
Write Preview
Loading…
Cancel
Save