From a613710f76191212e56723747b9515b40c88e834 Mon Sep 17 00:00:00 2001 From: xerox Date: Thu, 5 Nov 2020 12:42:43 -0800 Subject: [PATCH] switched back to NtShutdownSystem... --- nasa-tables/vdm_ctx/vdm_ctx.cpp | 9 ++++----- nasa-tables/vdm_ctx/vdm_ctx.h | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/nasa-tables/vdm_ctx/vdm_ctx.cpp b/nasa-tables/vdm_ctx/vdm_ctx.cpp index 57c306f..4eb651c 100644 --- a/nasa-tables/vdm_ctx/vdm_ctx.cpp +++ b/nasa-tables/vdm_ctx/vdm_ctx.cpp @@ -8,14 +8,13 @@ namespace vdm if (vdm::syscall_address.load()) return; - LoadLibraryA("user32.dll"); // required for win32u.dll... - vdm::dxgkrnl_buffer = reinterpret_cast( - LoadLibraryExA("drivers\\dxgkrnl.sys", NULL, + vdm::ntoskrnl = reinterpret_cast( + LoadLibraryExA("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); nt_rva = reinterpret_cast( util::get_kmodule_export( - "dxgkrnl.sys", + "ntoskrnl.exe", syscall_hook.first, true )); @@ -55,7 +54,7 @@ namespace vdm // check the first 32 bytes of the syscall, if its the same, test that its the correct // occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)... - if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32)) + if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32)) if (valid_syscall(reinterpret_cast(address + page + nt_page_offset))) syscall_address.store( reinterpret_cast( diff --git a/nasa-tables/vdm_ctx/vdm_ctx.h b/nasa-tables/vdm_ctx/vdm_ctx.h index 5ad84a6..ac64417 100644 --- a/nasa-tables/vdm_ctx/vdm_ctx.h +++ b/nasa-tables/vdm_ctx/vdm_ctx.h @@ -10,14 +10,14 @@ namespace vdm { // change this to whatever you want :^) - constexpr std::pair syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; + constexpr std::pair syscall_hook = { "NtShutdownSystem", "ntdll.dll" }; inline std::atomic is_page_found = false; inline std::atomic syscall_address = nullptr; inline std::uint16_t nt_page_offset; inline std::uint32_t nt_rva; - inline std::uint8_t* dxgkrnl_buffer; + inline std::uint8_t* ntoskrnl; class vdm_ctx {