switched back to use NtShutdownSystem

4 years ago · dcfadd1359
parent 08983dc37f
commit dcfadd1359
4 changed files with 17 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ whereas this project is. This project can be used more broadly then physmeme.

 # Example

-In this example VDM syscalls into an inline hook placed on `dxgkrnl.NtGdiDdDDICreateContext` to call memcpy exported from ntoskrnl.exe.
+In this example VDM syscalls into an inline hook placed on `ntoskrnl.NtShutdownSystem` to call memcpy exported from ntoskrnl.exe.

 #### Demo Code
 ```cpp
@ -44,10 +44,11 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);

 #### Demo Code Result
 ```
-[+] drv_handle -> 0xb0, drv_key -> frAQBc8Wsa1xVPfv
-[+] NtGdiDdDDICreateContext physical address -> 0x0000000100ACA5F0
-[+] ntoskrnl base address -> 0xFFFFF80075200000
-[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980
+[+] drv_handle -> 0x100, drv_key -> frAQBc8Wsa1xVPfv
+[+] NtShutdownSystem physical address -> 0x0000000002D0B1A0
+[+] NtShutdownSystem page offset -> 0x1a0
+[+] ntoskrnl base address -> 0xFFFFF80456400000
+[+] ntoskrnl memcpy address -> 0xFFFFF804565D5A80
 [+] kernel MZ -> 0x5a4d
 [+] press any key to close...
 ```
@ -59,7 +60,7 @@ hook by changing this variable inside of `vdm_ctx/vdm_ctx.h`.

 ```cpp
 // change this to whatever you want :^)
-constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
+constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem`", "ntdll.dll" };
 ```

 ### vdm::load_drv
--- a/VDM/main.cpp
+++ b/VDM/main.cpp
@ -19,6 +19,7 @@ int __cdecl main(int argc, char** argv)

 	std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str());
 	std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load());
+	std::printf("[+] %s page offset -> 0x%x\n", vdm::syscall_hook.first, vdm::nt_page_offset);
 	std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base);
 	std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);

--- a/VDM/vdm_ctx/vdm_ctx.cpp
+++ b/VDM/vdm_ctx/vdm_ctx.cpp
@ -4,14 +4,13 @@ namespace vdm
 {
 	vdm_ctx::vdm_ctx()
 	{
-		LoadLibraryA("user32.dll"); // required for win32u.dll...
-		vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
-			LoadLibraryEx("drivers\\dxgkrnl.sys", NULL,
+		vdm::ntoskrnl = reinterpret_cast<std::uint8_t*>(
+			LoadLibraryExA("ntoskrnl.exe", NULL,
 				DONT_RESOLVE_DLL_REFERENCES));

 		nt_rva = reinterpret_cast<std::uint32_t>(
 			util::get_kernel_export(
-				"dxgkrnl.sys",
+				"ntoskrnl.exe",
 				syscall_hook.first,
 				true
 			));
@ -47,11 +46,14 @@ namespace vdm
 				break;

 			if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
+			{
+				std::printf("[+] failed to read phys...\n");
 				continue;
+			}

 			// check the first 32 bytes of the syscall, if its the same, test that its the correct
 			// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
-			if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
+			if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32))
 				if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
 					syscall_address.store(
 						reinterpret_cast<void*>(
--- a/VDM/vdm_ctx/vdm_ctx.h
+++ b/VDM/vdm_ctx/vdm_ctx.h
@ -11,14 +11,14 @@
 namespace vdm
 {
 	// change this to whatever you want :^)
-	constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
+	constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };

 	inline std::atomic<bool> is_page_found = false;
 	inline std::atomic<void*> syscall_address = nullptr;

 	inline std::uint16_t nt_page_offset;
 	inline std::uint32_t nt_rva;
-	inline std::uint8_t* dxgkrnl_buffer;
+	inline std::uint8_t* ntoskrnl;

 	class vdm_ctx
 	{