|
|
|
|
@ -11,6 +11,49 @@ paging table manipulation from user-mode. operations such as getting and setting
|
|
|
|
|
Please disable spectra/meltdown since this patch creates two sets of PML4's per process (which i dont support).
|
|
|
|
|
Link to write up can be found [here](https://back.engineering/post/virtual-memory/).
|
|
|
|
|
|
|
|
|
|
# example
|
|
|
|
|
|
|
|
|
|
```cpp
|
|
|
|
|
#include <iostream>
|
|
|
|
|
#include "kernel_ctx/kernel_ctx.h"
|
|
|
|
|
#include "mem_ctx/mem_ctx.hpp"
|
|
|
|
|
|
|
|
|
|
int __cdecl main(int argc, char** argv)
|
|
|
|
|
{
|
|
|
|
|
// only time driver needs to be loaded is to init physmeme/kernel_ctx...
|
|
|
|
|
nasa::load_drv();
|
|
|
|
|
nasa::kernel_ctx kernel;
|
|
|
|
|
if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp))
|
|
|
|
|
std::cout << "[+] flushed PIDDB Cache for physmeme driver..." << std::endl;
|
|
|
|
|
nasa::unload_drv();
|
|
|
|
|
|
|
|
|
|
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } };
|
|
|
|
|
std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl;
|
|
|
|
|
std::cout << "[+] my base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl;
|
|
|
|
|
|
|
|
|
|
nasa::mem_ctx my_proc(kernel, my_proc_data.first);
|
|
|
|
|
const auto module_base = my_proc_data.second;
|
|
|
|
|
|
|
|
|
|
std::cout << "[+] base address pml4e: " << std::hex << my_proc[module_base.pml4_index].value << std::endl;
|
|
|
|
|
std::cout << "[+] base address pdpte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index}].value << std::endl;
|
|
|
|
|
std::cout << "[+] base address pde: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index}].value << std::endl;
|
|
|
|
|
std::cout << "[+] base address pte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index, module_base.pt_index}].value << std::endl;
|
|
|
|
|
std::cin.get();
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
result:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
[+] flushed PIDDB Cache for physmeme driver...
|
|
|
|
|
[+] my pid: 2634
|
|
|
|
|
[+] my base: 00007FF64BBB0000
|
|
|
|
|
[+] base address pml4e: 0xa000000d82b3867
|
|
|
|
|
[+] base address pdpte: 0xa000002df3b4867
|
|
|
|
|
[+] base address pde: 0xa0000016fcb5867
|
|
|
|
|
[+] base address pte: 0x80000001b1185025
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# table entry manipulation
|
|
|
|
|
- get/set pml4e's
|
|
|
|
|
- get/set pdpte's
|
|
|
|
|
@ -24,4 +67,10 @@ Link to write up can be found [here](https://back.engineering/post/virtual-memor
|
|
|
|
|
# virtual memory
|
|
|
|
|
- convert virtual addresses to physical addresses
|
|
|
|
|
- get table entries for a given address
|
|
|
|
|
- change table entries for a given address
|
|
|
|
|
- change table entries for a given address
|
|
|
|
|
|
|
|
|
|
# limitations
|
|
|
|
|
|
|
|
|
|
- please disable spectre/meltdown!
|
|
|
|
|
- please uninstall avast! (they destory physmeme!)
|
|
|
|
|
- this code may not work for AMD!
|
xerox
4 years ago