From ccfa50db8c7797ec2c031beb7aad8a19916bcf00 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 2 Nov 2020 01:47:50 +0000 Subject: [PATCH 1/4] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dceb7cc..21205ed 100644 --- a/README.md +++ b/README.md @@ -42,8 +42,8 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); #### Demo Code Result ``` -[+] drv_handle -> 0x70, drv_key -> frAQBc8Wsa1xVPfv -[+] NtShutdownSystem physical address -> 0x00000000109BB3A0 +[+] drv_handle -> 0xb0, drv_key -> frAQBc8Wsa1xVPfv +[+] NtGdiDdDDICreateContext physical address -> 0x0000000100ACA5F0 [+] ntoskrnl base address -> 0xFFFFF80075200000 [+] ntoskrnl memcpy address -> 0xFFFFF800755F0980 [+] kernel MZ -> 0x5a4d From 4b0949ef41d8c6c323ff55485cea84624eeac054 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 2 Nov 2020 01:51:06 +0000 Subject: [PATCH 2/4] Update README.md --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 21205ed..f9d8e00 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,11 @@ # Vulnerable Driver Manipulation A library to manipulate drivers exposing a physical memory read/write primitive to allow the user to call any function in the kernel. There are thousands of drivers exposing physical -memory read/write, a bunch are listed in this repo. Currently the project is using gdrv.sys, and is inline hooking NtShutdownSystem. The inline hook is not patchguard friendly, -but is removed after every syscall into NtShutdownSystem to prevent triggering patchguard. Although this is not patchguard friendly, using this to call a few hundred kernel functions will most likely not cause any issues. -This library is not ment to be used by itself, it is ment to help the programmer setup whatever they need to in the kernel (like mapping a driver or setting up paging tables). +memory read/write, a bunch are listed in this repo. Currently the project is using gdrv.sys, and is inline hooking `dxgkrnl.NtGdiDdDDICreateContext`. # Example -In this example VDM syscalls into an inline hook placed on NtShutdownSystem to call memcpy exported from ntoskrnl.exe. +In this example VDM syscalls into an inline hook placed on `dxgkrnl.NtGdiDdDDICreateContext` to call memcpy exported from ntoskrnl.exe. #### Demo Code ```cpp From 22b84454bc2ebc74fd17e51223b86cbb4e6e5ce9 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 2 Nov 2020 02:11:51 +0000 Subject: [PATCH 3/4] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f9d8e00..77b043b 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,13 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); # Usage -Currently the project is configured to use gdrv, but if you want to swap the driver out you must defined four functions. +Currently the project is configured to use gdrv, but if you want to swap the driver out you must defined four functions. You can also change which syscall you want to +hook by changing this variable inside of `vdm.h`. + +```cpp +// change this to whatever you want :^) +constexpr std::pair syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; +``` ### vdm::load_drv From 86bf31104c0610fe789294ebe67ce6ca46e2e9d2 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 2 Nov 2020 02:16:38 +0000 Subject: [PATCH 4/4] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 77b043b..8bdcab6 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); # Usage Currently the project is configured to use gdrv, but if you want to swap the driver out you must defined four functions. You can also change which syscall you want to -hook by changing this variable inside of `vdm.h`. +hook by changing this variable inside of `vdm_ctx/vdm_ctx.h`. ```cpp // change this to whatever you want :^)