From 103c2304c8df387054ec4f2617c440f4f5f25949 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Fri, 5 Mar 2021 15:48:09 -0800 Subject: [PATCH] fixed c++ symbol name issues --- DemoDrv/DemoDrv.vcxproj | 4 ++-- DemoDrv/DemoDrv.vcxproj.filters | 4 ++-- DemoDrv/DriverEntry.c | 7 ------- DemoDrv/DriverEntry.cpp | 7 +++++++ DemoDrv/ObfuscateDemo.c | 17 ----------------- DemoDrv/ObfuscateDemo.cpp | 18 ++++++++++++++++++ DemoDrv/Theodosius.h | 10 +++++++--- Theodosius/hmdm_ctx.cpp | 2 +- 8 files changed, 37 insertions(+), 32 deletions(-) delete mode 100644 DemoDrv/DriverEntry.c create mode 100644 DemoDrv/DriverEntry.cpp delete mode 100644 DemoDrv/ObfuscateDemo.c create mode 100644 DemoDrv/ObfuscateDemo.cpp diff --git a/DemoDrv/DemoDrv.vcxproj b/DemoDrv/DemoDrv.vcxproj index 391c3a4..1d0edc8 100644 --- a/DemoDrv/DemoDrv.vcxproj +++ b/DemoDrv/DemoDrv.vcxproj @@ -95,8 +95,8 @@ - - + + diff --git a/DemoDrv/DemoDrv.vcxproj.filters b/DemoDrv/DemoDrv.vcxproj.filters index c7f29fe..5218e70 100644 --- a/DemoDrv/DemoDrv.vcxproj.filters +++ b/DemoDrv/DemoDrv.vcxproj.filters @@ -10,10 +10,10 @@ - + Source Files - + Source Files diff --git a/DemoDrv/DriverEntry.c b/DemoDrv/DriverEntry.c deleted file mode 100644 index 514798d..0000000 --- a/DemoDrv/DriverEntry.c +++ /dev/null @@ -1,7 +0,0 @@ -#include "Theodosius.h" - -int drv_entry() -{ - DbgPrint("> hello world! this is a demo!\n"); - DbgPrint("> current pml4 = 0x%p\n", get_dirbase()); -} \ No newline at end of file diff --git a/DemoDrv/DriverEntry.cpp b/DemoDrv/DriverEntry.cpp new file mode 100644 index 0000000..40ae50d --- /dev/null +++ b/DemoDrv/DriverEntry.cpp @@ -0,0 +1,7 @@ +#include "Theodosius.h" + +extern "C" int __cdecl drv_entry() +{ + DbgPrint("> hello world! this is a demo!\n"); + DbgPrint("> current pml4 = 0x%p\n", cppdemo::get_dirbase()); +} \ No newline at end of file diff --git a/DemoDrv/ObfuscateDemo.c b/DemoDrv/ObfuscateDemo.c deleted file mode 100644 index b3d8238..0000000 --- a/DemoDrv/ObfuscateDemo.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "Theodosius.h" -extern void* PiddbCacheTable; - -ObfuscateRoutine -unsigned long long get_dirbase() -{ - cr3 result; - result.flags = - *(unsigned long long*)(IoGetCurrentProcess() + 0x28); - - result.flags = NULL; - if (!result.address_of_page_directory) - return -1; - - *(unsigned*)PiddbCacheTable = 0x0; - return result.address_of_page_directory << 12 + (unsigned long long) &get_dirbase; -} \ No newline at end of file diff --git a/DemoDrv/ObfuscateDemo.cpp b/DemoDrv/ObfuscateDemo.cpp new file mode 100644 index 0000000..b607ed3 --- /dev/null +++ b/DemoDrv/ObfuscateDemo.cpp @@ -0,0 +1,18 @@ +#include "Theodosius.h" + +namespace cppdemo +{ + ObfuscateRoutine + unsigned long long get_dirbase() + { + cr3 result; + result.flags = + *(unsigned long long*)(IoGetCurrentProcess() + 0x28); + + result.flags = NULL; + if (!result.address_of_page_directory) + return -1; + + return result.address_of_page_directory << 12; + } +} \ No newline at end of file diff --git a/DemoDrv/Theodosius.h b/DemoDrv/Theodosius.h index 44c8acd..37fba52 100644 --- a/DemoDrv/Theodosius.h +++ b/DemoDrv/Theodosius.h @@ -2,9 +2,13 @@ #include #define ObfuscateRoutine __declspec(code_seg(".theo")) -unsigned long DbgPrint(const char* format, ...); -unsigned long long IoGetCurrentProcess(); -unsigned long long get_dirbase(); +extern "C" unsigned long DbgPrint(const char* format, ...); +extern "C" unsigned long long IoGetCurrentProcess(); + +namespace cppdemo +{ + unsigned long long get_dirbase(); +} typedef union { diff --git a/Theodosius/hmdm_ctx.cpp b/Theodosius/hmdm_ctx.cpp index 1ded267..75f6271 100644 --- a/Theodosius/hmdm_ctx.cpp +++ b/Theodosius/hmdm_ctx.cpp @@ -338,7 +338,7 @@ namespace drv mapped_symbols[next_instruction_symbol]; std::printf(" > next instruction symbol = %s, address = 0x%p\n", - next_instruction_symbol, *reinterpret_cast( + next_instruction_symbol.c_str(), *reinterpret_cast( &final_instruction[instruction.length + JMP_RIP_ADDR_IDX])); const auto instruc_alloc =