idk what i added but its done

master
_xeroxz 4 years ago
parent 0a6b262243
commit fb92ede46c

@ -18,13 +18,30 @@ namespace hyperspace
hyperspace_context.second =
v_ctx->get_physical(this->hyperspace_context.first);
v_ctx->wkm(reinterpret_cast<void*>(this->hyperspace_context.first),
reinterpret_cast<void*>(this->orig_context.first), PAGE_4KB);
v_ctx->wkm(reinterpret_cast<void*>(
this->hyperspace_context.first),
reinterpret_cast<void*>(
this->orig_context.first), PAGE_4KB);
// make a new kprocess 1:1 with the target process...
orig_peproc = v_ctx->get_peprocess(target_ctx->pid);
clone_peproc = reinterpret_cast<PEPROCESS>(v_ctx->kalloc(PAGE_4KB));
v_ctx->wkm(clone_peproc, orig_peproc, PAGE_4KB);
// usually PEPROCESS's are 0x80 into a page...
// there is some structure above an EPROCESS i do not know what it is
// but there is indeed one there so we are gunna copy that bitch!
const auto orig_peproc_page =
(reinterpret_cast<std::uintptr_t>(orig_peproc) >> 12) << 12;
// offset into the page where the actual eprocess begins...
const auto clone_peproc_offset =
reinterpret_cast<std::uintptr_t>(orig_peproc) & (ULONG64)0xFFF;
v_ctx->wkm(clone_peproc,
reinterpret_cast<void*>(orig_peproc_page), PAGE_4KB);
clone_peproc = reinterpret_cast<PEPROCESS>(
reinterpret_cast<std::uintptr_t>(clone_peproc) + clone_peproc_offset);
// 1: kd > dt !_KPROCESS
// nt!_KPROCESS
@ -34,26 +51,37 @@ namespace hyperspace
const auto dirbase_ptr =
reinterpret_cast<std::uintptr_t>(clone_peproc) + KPROCESS_DIRBASE_OFFSET;
v_ctx->wkm<std::uintptr_t>(dirbase_ptr, hyperspace_context.second);
v_ctx->wkm<std::uintptr_t>(
dirbase_ptr, hyperspace_context.second);
}
auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> void
auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> std::pair<bool, PETHREAD>
{
const auto current_thread =
const auto pethread =
reinterpret_cast<std::uintptr_t>(
v_ctx->get_current_thread());
v_ctx->get_pethread(tid));
if (!pethread)
return { {}, {} };
v_ctx->wkm<PEPROCESS>(
current_thread + KTHREAD_PKPROCESS_OFFSET, clone_peproc);
pethread + KTHREAD_PKPROCESS_OFFSET, clone_peproc);
return { true, reinterpret_cast<PETHREAD>(pethread) };
}
auto hyper_ctx::hyper_ret(std::uint32_t tid) -> void
auto hyper_ctx::hyper_ret(std::uint32_t tid) -> std::pair<bool, PETHREAD>
{
const auto current_thread =
const auto pethread =
reinterpret_cast<std::uintptr_t>(
v_ctx->get_current_thread());
v_ctx->get_pethread(tid));
if (!pethread)
return { {}, {} };
v_ctx->wkm<PEPROCESS>(
current_thread + KTHREAD_PKPROCESS_OFFSET, orig_peproc);
pethread + KTHREAD_PKPROCESS_OFFSET, orig_peproc);
return { true, reinterpret_cast<PETHREAD>(pethread) };
}
}

@ -4,6 +4,7 @@
// on windows 10 you should be alright...
#define KTHREAD_PKPROCESS_OFFSET 0xB8
#define KPROCESS_DIRBASE_OFFSET 0x28
#define KPROCESS_THREAD_LIST_OFFSET 0x30
namespace hyperspace
{
@ -16,10 +17,9 @@ namespace hyperspace
ptm::ptm_ctx* target_ctx;
std::pair<virt_addr_t, phys_addr_t> hyperspace_context, orig_context;
PEPROCESS clone_peproc, orig_peproc;
public:
explicit hyper_ctx(ptm::ptm_ctx* target_ctx);
auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> void;
auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> void;
auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
};
}

@ -39,12 +39,14 @@ int __cdecl main(int argc, char** argv)
return -1;
}
_read_phys = [&](void* addr, void* buffer, std::size_t size) -> bool
_read_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{
return my_proc.read_phys(buffer, addr, size);
};
_write_phys = [&](void* addr, void* buffer, std::size_t size) -> bool
_write_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{
return my_proc.write_phys(buffer, addr, size);
};
@ -56,7 +58,7 @@ int __cdecl main(int argc, char** argv)
hyperspace.hyper_jmp();
{
for (auto idx = 0u; idx < 10; ++idx)
std::printf("[+] hyperspace cr3 -> 0x%p\n", vdm.readcr3());
std::printf("[+] (old thread) hyperspace cr3 -> 0x%p\n", vdm.readcr3());
}
hyperspace.hyper_ret();
std::printf("[+] press any key to close...\n");

@ -61,6 +61,11 @@ using PsLookupProcessByProcessId = NTSTATUS (__fastcall*)(
PEPROCESS* Process
);
using PsLookupThreadByThreadId = NTSTATUS(__fastcall*)(
HANDLE ThreadId,
PETHREAD* Thread
);
using MmCopyMemory = NTSTATUS(__stdcall*)(
PVOID,
MM_COPY_ADDRESS,

@ -83,15 +83,11 @@ namespace vdm
{
static const auto ps_lookup_peproc =
util::get_kmodule_export(
"ntoskrnl.exe",
"PsLookupProcessByProcessId");
"ntoskrnl.exe", "PsLookupProcessByProcessId");
PEPROCESS peproc = nullptr;
this->syscall<PsLookupProcessByProcessId>(
ps_lookup_peproc,
(HANDLE)pid,
&peproc
);
syscall<PsLookupProcessByProcessId>(
ps_lookup_peproc, (HANDLE)pid, &peproc);
return peproc;
}
@ -99,37 +95,42 @@ namespace vdm
{
static const auto ntoskrnl_get_virtual =
util::get_kmodule_export(
"ntoskrnl.exe",
"MmGetVirtualForPhysical");
"ntoskrnl.exe", "MmGetVirtualForPhysical");
return this->syscall<MmGetVirtualForPhysical>(
return syscall<MmGetVirtualForPhysical>(
ntoskrnl_get_virtual, addr);
}
__forceinline auto kalloc(std::size_t size) -> std::uintptr_t
{
static const auto mm_allocate =
util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool");
util::get_kmodule_export(
"ntoskrnl.exe", "ExAllocatePool");
return this->syscall<std::uintptr_t(*)
return syscall<std::uintptr_t(*)
(std::uint8_t, std::size_t)>(mm_allocate, NULL, size);
}
__forceinline auto get_physical(std::uintptr_t phys_addr) -> std::uintptr_t
{
static const auto mm_get_physical =
util::get_kmodule_export("ntoskrnl.exe", "MmGetPhysicalAddress");
util::get_kmodule_export(
"ntoskrnl.exe", "MmGetPhysicalAddress");
return this->syscall<std::uintptr_t(*)
return syscall<std::uintptr_t(*)
(std::uintptr_t)>(mm_get_physical, phys_addr);
}
__forceinline auto get_current_thread(void) -> PETHREAD
__forceinline auto get_pethread(std::uint32_t tid) -> PETHREAD
{
static const auto ke_get_thread =
util::get_kmodule_export("ntoskrnl.exe", "KeGetCurrentThread");
static const auto ps_lookup_thread =
util::get_kmodule_export(
"ntoskrnl.exe", "PsLookupThreadByThreadId");
return this->syscall<PETHREAD(*)()>(ke_get_thread);
PETHREAD result = nullptr;
syscall<PsLookupThreadByThreadId>(
ps_lookup_thread, (HANDLE)tid, &result);
return result;
}
__forceinline auto readcr3(void) -> std::uintptr_t

Loading…
Cancel
Save