|
|
@ -4,14 +4,13 @@ namespace vdm
|
|
|
|
{
|
|
|
|
{
|
|
|
|
vdm_ctx::vdm_ctx()
|
|
|
|
vdm_ctx::vdm_ctx()
|
|
|
|
{
|
|
|
|
{
|
|
|
|
LoadLibraryA("user32.dll"); // required for win32u.dll...
|
|
|
|
vdm::ntoskrnl = reinterpret_cast<std::uint8_t*>(
|
|
|
|
vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
|
|
|
|
LoadLibraryExA("ntoskrnl.exe", NULL,
|
|
|
|
LoadLibraryEx("drivers\\dxgkrnl.sys", NULL,
|
|
|
|
|
|
|
|
DONT_RESOLVE_DLL_REFERENCES));
|
|
|
|
DONT_RESOLVE_DLL_REFERENCES));
|
|
|
|
|
|
|
|
|
|
|
|
nt_rva = reinterpret_cast<std::uint32_t>(
|
|
|
|
nt_rva = reinterpret_cast<std::uint32_t>(
|
|
|
|
util::get_kernel_export(
|
|
|
|
util::get_kernel_export(
|
|
|
|
"dxgkrnl.sys",
|
|
|
|
"ntoskrnl.exe",
|
|
|
|
syscall_hook.first,
|
|
|
|
syscall_hook.first,
|
|
|
|
true
|
|
|
|
true
|
|
|
|
));
|
|
|
|
));
|
|
|
@ -47,11 +46,14 @@ namespace vdm
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
|
|
|
|
if (!vdm::read_phys(reinterpret_cast<void*>(address + page), page_data, PAGE_4KB))
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
std::printf("[+] failed to read phys...\n");
|
|
|
|
continue;
|
|
|
|
continue;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// check the first 32 bytes of the syscall, if its the same, test that its the correct
|
|
|
|
// check the first 32 bytes of the syscall, if its the same, test that its the correct
|
|
|
|
// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
|
|
|
|
// occurrence of these bytes (since dxgkrnl is loaded into physical memory at least 2 times now)...
|
|
|
|
if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
|
|
|
|
if (!memcmp(page_data + nt_page_offset, ntoskrnl + nt_rva, 32))
|
|
|
|
if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
|
|
|
|
if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
|
|
|
|
syscall_address.store(
|
|
|
|
syscall_address.store(
|
|
|
|
reinterpret_cast<void*>(
|
|
|
|
reinterpret_cast<void*>(
|
|
|
|