|
|
@ -1,5 +1,4 @@
|
|
|
|
#include "kernel_ctx.h"
|
|
|
|
#include "kernel_ctx.h"
|
|
|
|
#include "../mem_ctx/mem_ctx.hpp"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace nasa
|
|
|
|
namespace nasa
|
|
|
|
{
|
|
|
|
{
|
|
|
@ -8,6 +7,13 @@ namespace nasa
|
|
|
|
if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer)
|
|
|
|
if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer)
|
|
|
|
return;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
|
|
|
|
|
|
|
|
LoadLibraryExA(
|
|
|
|
|
|
|
|
"ntoskrnl.exe",
|
|
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
|
|
DONT_RESOLVE_DLL_REFERENCES
|
|
|
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
|
|
nt_rva = reinterpret_cast<std::uint32_t>(
|
|
|
|
nt_rva = reinterpret_cast<std::uint32_t>(
|
|
|
|
util::get_module_export(
|
|
|
|
util::get_module_export(
|
|
|
|
"ntoskrnl.exe",
|
|
|
|
"ntoskrnl.exe",
|
|
|
@ -16,13 +22,6 @@ namespace nasa
|
|
|
|
));
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
|
|
nt_page_offset = nt_rva % PAGE_SIZE;
|
|
|
|
nt_page_offset = nt_rva % PAGE_SIZE;
|
|
|
|
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
|
|
|
|
|
|
|
|
LoadLibraryExA(
|
|
|
|
|
|
|
|
"ntoskrnl.exe",
|
|
|
|
|
|
|
|
NULL,
|
|
|
|
|
|
|
|
DONT_RESOLVE_DLL_REFERENCES
|
|
|
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
std::vector<std::thread> search_threads;
|
|
|
|
std::vector<std::thread> search_threads;
|
|
|
|
//--- for each physical memory range, make a thread to search it
|
|
|
|
//--- for each physical memory range, make a thread to search it
|
|
|
|
for (auto ranges : util::pmem_ranges)
|
|
|
|
for (auto ranges : util::pmem_ranges)
|
|
|
@ -43,29 +42,34 @@ namespace nasa
|
|
|
|
if (begin + end <= 0x1000 * 512)
|
|
|
|
if (begin + end <= 0x1000 * 512)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
auto page_va = nasa::map_phys(begin + nt_page_offset, end);
|
|
|
|
auto page_va = nasa::map_phys(begin + nt_page_offset, end);
|
|
|
|
last_mapped_virt.store((void*)page_va);
|
|
|
|
|
|
|
|
last_mapping_size.store(end);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (page_va)
|
|
|
|
if (page_va)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// scan every page of the physical memory range
|
|
|
|
// scan every page of the physical memory range
|
|
|
|
for (auto page = page_va; page < page_va + end; page += 0x1000)
|
|
|
|
for (auto page = page_va; page < page_va + end; page += 0x1000)
|
|
|
|
|
|
|
|
{
|
|
|
|
if (!is_page_found.load()) // keep scanning until its found
|
|
|
|
if (!is_page_found.load()) // keep scanning until its found
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
{
|
|
|
|
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
nasa::unmap_phys(page_va, end);
|
|
|
|
nasa::unmap_phys(page_va, end);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -77,9 +81,6 @@ namespace nasa
|
|
|
|
for (auto range = begin; range < begin + end; range += 0x1000 * 512)
|
|
|
|
for (auto range = begin; range < begin + end; range += 0x1000 * 512)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
auto page_va = nasa::map_phys(range + nt_page_offset, 0x1000 * 512);
|
|
|
|
auto page_va = nasa::map_phys(range + nt_page_offset, 0x1000 * 512);
|
|
|
|
last_mapped_virt.store((void*)page_va);
|
|
|
|
|
|
|
|
last_mapping_size.store(0x1000 * 512);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (page_va)
|
|
|
|
if (page_va)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// loop every page of 2mbs (512)
|
|
|
|
// loop every page of 2mbs (512)
|
|
|
@ -87,21 +88,25 @@ namespace nasa
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!is_page_found.load())
|
|
|
|
if (!is_page_found.load())
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nasa::unmap_phys(page_va, 0x1000 * 512);
|
|
|
|
nasa::unmap_phys(page_va, 0x1000 * 512);
|
|
|
@ -110,30 +115,31 @@ namespace nasa
|
|
|
|
|
|
|
|
|
|
|
|
// map the remainder and check each page of it
|
|
|
|
// map the remainder and check each page of it
|
|
|
|
auto page_va = nasa::map_phys(begin + end - remainder + nt_page_offset, remainder);
|
|
|
|
auto page_va = nasa::map_phys(begin + end - remainder + nt_page_offset, remainder);
|
|
|
|
last_mapped_virt.store((void*)page_va);
|
|
|
|
|
|
|
|
last_mapping_size.store(remainder);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (page_va)
|
|
|
|
if (page_va)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
for (auto page = page_va; page < page_va + remainder; page += 0x1000)
|
|
|
|
for (auto page = page_va; page < page_va + remainder; page += 0x1000)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!is_page_found.load())
|
|
|
|
if (!is_page_found.load())
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
nasa::unmap_phys(page_va, remainder);
|
|
|
|
nasa::unmap_phys(page_va, remainder);
|
|
|
@ -197,12 +203,15 @@ namespace nasa
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
if (mm_copy_memory)
|
|
|
|
if (mm_copy_memory)
|
|
|
|
syscall<decltype(&memcpy)>(
|
|
|
|
{
|
|
|
|
|
|
|
|
syscall<decltype(&memcpy)>
|
|
|
|
|
|
|
|
(
|
|
|
|
mm_copy_memory,
|
|
|
|
mm_copy_memory,
|
|
|
|
buffer,
|
|
|
|
buffer,
|
|
|
|
address,
|
|
|
|
address,
|
|
|
|
size
|
|
|
|
size
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void kernel_ctx::wkm(void* buffer, void* address, std::size_t size)
|
|
|
|
void kernel_ctx::wkm(void* buffer, void* address, std::size_t size)
|
|
|
@ -218,12 +227,15 @@ namespace nasa
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
if (mm_copy_memory)
|
|
|
|
if (mm_copy_memory)
|
|
|
|
syscall<decltype(&memcpy)>(
|
|
|
|
{
|
|
|
|
|
|
|
|
syscall<decltype(&memcpy)>
|
|
|
|
|
|
|
|
(
|
|
|
|
mm_copy_memory,
|
|
|
|
mm_copy_memory,
|
|
|
|
address,
|
|
|
|
address,
|
|
|
|
buffer,
|
|
|
|
buffer,
|
|
|
|
size
|
|
|
|
size
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void* kernel_ctx::get_physical(void* virt_addr)
|
|
|
|
void* kernel_ctx::get_physical(void* virt_addr)
|
|
|
@ -237,10 +249,7 @@ namespace nasa
|
|
|
|
"MmGetPhysicalAddress"
|
|
|
|
"MmGetPhysicalAddress"
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
return syscall<MmGetPhysicalAddress>(
|
|
|
|
return syscall<MmGetPhysicalAddress>(mm_get_physical, virt_addr);
|
|
|
|
mm_get_physical,
|
|
|
|
|
|
|
|
virt_addr
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void* kernel_ctx::get_virtual(void* addr)
|
|
|
|
void* kernel_ctx::get_virtual(void* addr)
|
|
|
@ -256,10 +265,7 @@ namespace nasa
|
|
|
|
|
|
|
|
|
|
|
|
PHYSICAL_ADDRESS phys_addr;
|
|
|
|
PHYSICAL_ADDRESS phys_addr;
|
|
|
|
memcpy(&phys_addr, &addr, sizeof(addr));
|
|
|
|
memcpy(&phys_addr, &addr, sizeof(addr));
|
|
|
|
return syscall<MmGetVirtualForPhysical>(
|
|
|
|
return syscall<MmGetVirtualForPhysical>(mm_get_virtual,phys_addr);
|
|
|
|
mm_get_virtual,
|
|
|
|
|
|
|
|
phys_addr
|
|
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp)
|
|
|
|
bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp)
|
|
|
|