|
|
|
@ -10,21 +10,25 @@ int __cdecl main(int argc, char** argv)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
vdm::vdm_ctx vdm;
|
|
|
|
vdm::vdm_ctx vdm;
|
|
|
|
std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str());
|
|
|
|
const auto ntoskrnl_base =
|
|
|
|
std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
const auto ntoskrnl_base =
|
|
|
|
|
|
|
|
reinterpret_cast<void*>(
|
|
|
|
reinterpret_cast<void*>(
|
|
|
|
util::get_module_base("ntoskrnl.exe"));
|
|
|
|
util::get_module_base("ntoskrnl.exe"));
|
|
|
|
|
|
|
|
|
|
|
|
const auto ntoskrnl_memcpy =
|
|
|
|
const auto ntoskrnl_memcpy =
|
|
|
|
util::get_kernel_export("ntoskrnl.exe", "memcpy");
|
|
|
|
util::get_kernel_export("ntoskrnl.exe", "memcpy");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str());
|
|
|
|
|
|
|
|
std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load());
|
|
|
|
std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base);
|
|
|
|
std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base);
|
|
|
|
std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);
|
|
|
|
std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);
|
|
|
|
|
|
|
|
|
|
|
|
short mz_bytes = 0;
|
|
|
|
short mz_bytes = 0;
|
|
|
|
vdm.syscall<decltype(&memcpy)>(ntoskrnl_memcpy, &mz_bytes, ntoskrnl_base, sizeof mz_bytes);
|
|
|
|
vdm.syscall<decltype(&memcpy)>(
|
|
|
|
|
|
|
|
ntoskrnl_memcpy,
|
|
|
|
|
|
|
|
&mz_bytes,
|
|
|
|
|
|
|
|
ntoskrnl_base,
|
|
|
|
|
|
|
|
sizeof mz_bytes
|
|
|
|
|
|
|
|
);
|
|
|
|
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
|
|
|
|
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
|
|
|
|
|
|
|
|
|
|
|
|
if (!vdm::unload_drv(drv_handle, drv_key))
|
|
|
|
if (!vdm::unload_drv(drv_handle, drv_key))
|
|
|
|
|
xerox
4 years ago