Update README.md

merge-requests/1/head
_xeroxz 4 years ago
parent 5baa613bba
commit 1162a330b7

@ -14,26 +14,40 @@ but is removed after every syscall into NtShutdownSystem to prevent possible det
In this example VDM syscalls into an inline hook placed on NtShutdownSystem to call memcpy exported from ntoskrnl.exe. In this example VDM syscalls into an inline hook placed on NtShutdownSystem to call memcpy exported from ntoskrnl.exe.
#### Demo Code
```cpp ```cpp
vdm::vdm_ctx vdm; vdm::vdm_ctx vdm;
const auto ntoskrnl_base = const auto ntoskrnl_base =
reinterpret_cast<void*>( reinterpret_cast<void*>(
util::get_module_base("ntoskrnl.exe")); util::get_module_base("ntoskrnl.exe"));
const auto ntoskrnl_memcpy = const auto ntoskrnl_memcpy =
util::get_kernel_export("ntoskrnl.exe", "memcpy"); util::get_kernel_export("ntoskrnl.exe", "memcpy");
std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str()); std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str());
std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load()); std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load());
std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base); std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base);
std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy); std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);
short mz_bytes = 0; short mz_bytes = 0;
vdm.syscall<decltype(&memcpy)>(ntoskrnl_memcpy, &mz_bytes, ntoskrnl_base, sizeof mz_bytes); vdm.syscall<decltype(&memcpy)>(
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); ntoskrnl_memcpy,
&mz_bytes,
ntoskrnl_base,
sizeof mz_bytes
);
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
``` ```
#### Demo Code Result
```
[+] drv_handle -> 0x70, drv_key -> frAQBc8Wsa1xVPfv
[+] NtShutdownSystem physical address -> 0x00000000109BB3A0
[+] ntoskrnl base address -> 0xFFFFF80075200000
[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980
[+] kernel MZ -> 0x5a4d
[+] press any key to close...
```
# Usage # Usage

Loading…
Cancel
Save