idk what i added but its done

4 years ago · fb92ede46c
parent 0a6b262243
commit fb92ede46c
5 changed files with 72 additions and 36 deletions
--- a/hyperspace/hyper_ctx/hyper_ctx.cpp
+++ b/hyperspace/hyper_ctx/hyper_ctx.cpp
@ -18,13 +18,30 @@ namespace hyperspace
 		hyperspace_context.second = 
 			v_ctx->get_physical(this->hyperspace_context.first);

-		v_ctx->wkm(reinterpret_cast<void*>(this->hyperspace_context.first),
-			reinterpret_cast<void*>(this->orig_context.first), PAGE_4KB);
+		v_ctx->wkm(reinterpret_cast<void*>(
+			this->hyperspace_context.first),
+				reinterpret_cast<void*>(
+					this->orig_context.first), PAGE_4KB);

 		// make a new kprocess 1:1 with the target process...
 		orig_peproc = v_ctx->get_peprocess(target_ctx->pid);
 		clone_peproc = reinterpret_cast<PEPROCESS>(v_ctx->kalloc(PAGE_4KB));
-		v_ctx->wkm(clone_peproc, orig_peproc, PAGE_4KB);
+
+		// usually PEPROCESS's are 0x80 into a page...
+		// there is some structure above an EPROCESS i do not know what it is
+		// but there is indeed one there so we are gunna copy that bitch!
+		const auto orig_peproc_page = 
+			(reinterpret_cast<std::uintptr_t>(orig_peproc) >> 12) << 12;
+
+		// offset into the page where the actual eprocess begins...
+		const auto clone_peproc_offset =
+			reinterpret_cast<std::uintptr_t>(orig_peproc) & (ULONG64)0xFFF;
+
+		v_ctx->wkm(clone_peproc, 
+			reinterpret_cast<void*>(orig_peproc_page), PAGE_4KB);
+
+		clone_peproc = reinterpret_cast<PEPROCESS>(
+			reinterpret_cast<std::uintptr_t>(clone_peproc) + clone_peproc_offset);

 		// 1: kd > dt !_KPROCESS
 		//	nt!_KPROCESS
@ -34,26 +51,37 @@ namespace hyperspace
 		const auto dirbase_ptr = 
 			reinterpret_cast<std::uintptr_t>(clone_peproc) + KPROCESS_DIRBASE_OFFSET;

-		v_ctx->wkm<std::uintptr_t>(dirbase_ptr, hyperspace_context.second);
+		v_ctx->wkm<std::uintptr_t>(
+			dirbase_ptr, hyperspace_context.second);
 	}

-	auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> void
+	auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> std::pair<bool, PETHREAD>
 	{
-		const auto current_thread = 
+		const auto pethread = 
 			reinterpret_cast<std::uintptr_t>(
-				v_ctx->get_current_thread());
+				v_ctx->get_pethread(tid));
+
+		if (!pethread)
+			return { {}, {} };
 		
 		v_ctx->wkm<PEPROCESS>(
-			current_thread + KTHREAD_PKPROCESS_OFFSET, clone_peproc);
+			pethread + KTHREAD_PKPROCESS_OFFSET, clone_peproc);
+
+		return { true, reinterpret_cast<PETHREAD>(pethread) };
 	}

-	auto hyper_ctx::hyper_ret(std::uint32_t tid) -> void
+	auto hyper_ctx::hyper_ret(std::uint32_t tid) -> std::pair<bool, PETHREAD>
 	{
-		const auto current_thread =
+		const auto pethread =
 			reinterpret_cast<std::uintptr_t>(
-				v_ctx->get_current_thread());
+				v_ctx->get_pethread(tid));
+
+		if (!pethread)
+			return { {}, {} };

 		v_ctx->wkm<PEPROCESS>(
-			current_thread + KTHREAD_PKPROCESS_OFFSET, orig_peproc);
+			pethread + KTHREAD_PKPROCESS_OFFSET, orig_peproc);
+
+		return { true, reinterpret_cast<PETHREAD>(pethread) };
 	}
 }
--- a/hyperspace/hyper_ctx/hyper_ctx.hpp
+++ b/hyperspace/hyper_ctx/hyper_ctx.hpp
@ -4,6 +4,7 @@
 // on windows 10 you should be alright...
 #define KTHREAD_PKPROCESS_OFFSET 0xB8 
 #define KPROCESS_DIRBASE_OFFSET 0x28
+#define KPROCESS_THREAD_LIST_OFFSET 0x30

 namespace hyperspace
 {
@ -16,10 +17,9 @@ namespace hyperspace
 		ptm::ptm_ctx* target_ctx;
 		std::pair<virt_addr_t, phys_addr_t> hyperspace_context, orig_context;
 		PEPROCESS clone_peproc, orig_peproc;
-
 	public:
 		explicit hyper_ctx(ptm::ptm_ctx* target_ctx);
-		auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> void;
-		auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> void;
+		auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
+		auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
 	};
 }
--- a/hyperspace/main.cpp
+++ b/hyperspace/main.cpp
@ -39,12 +39,14 @@ int __cdecl main(int argc, char** argv)
 		return -1;
 	}

-	_read_phys = [&](void* addr, void* buffer, std::size_t size) -> bool
+	_read_phys = 
+		[&](void* addr, void* buffer, std::size_t size) -> bool
 	{
 		return my_proc.read_phys(buffer, addr, size);
 	};

-	_write_phys = [&](void* addr, void* buffer, std::size_t size) -> bool
+	_write_phys = 
+		[&](void* addr, void* buffer, std::size_t size) -> bool
 	{
 		return my_proc.write_phys(buffer, addr, size);
 	};
@ -56,7 +58,7 @@ int __cdecl main(int argc, char** argv)
 	hyperspace.hyper_jmp();
 	{
 		for (auto idx = 0u; idx < 10; ++idx)
-			std::printf("[+] hyperspace cr3 -> 0x%p\n", vdm.readcr3());
+			std::printf("[+] (old thread) hyperspace cr3 -> 0x%p\n", vdm.readcr3());
 	}
 	hyperspace.hyper_ret();
 	std::printf("[+] press any key to close...\n");
--- a/hyperspace/util/nt.hpp
+++ b/hyperspace/util/nt.hpp
@ -61,6 +61,11 @@ using PsLookupProcessByProcessId = NTSTATUS (__fastcall*)(
 	PEPROCESS* Process
 );

+using PsLookupThreadByThreadId = NTSTATUS(__fastcall*)(
+    HANDLE   ThreadId,
+    PETHREAD* Thread
+);
+
 using MmCopyMemory = NTSTATUS(__stdcall*)(
    PVOID, 
    MM_COPY_ADDRESS,
--- a/hyperspace/vdm_ctx/vdm_ctx.hpp
+++ b/hyperspace/vdm_ctx/vdm_ctx.hpp
@ -83,15 +83,11 @@ namespace vdm
 		{
 			static const auto ps_lookup_peproc =
 				util::get_kmodule_export(
-					"ntoskrnl.exe",
-					"PsLookupProcessByProcessId");
+					"ntoskrnl.exe", "PsLookupProcessByProcessId");

 			PEPROCESS peproc = nullptr;
-			this->syscall<PsLookupProcessByProcessId>(
-				ps_lookup_peproc,
-				(HANDLE)pid,
-				&peproc
-			);
+			syscall<PsLookupProcessByProcessId>(
+				ps_lookup_peproc, (HANDLE)pid, &peproc);
 			return peproc;
 		}

@ -99,37 +95,42 @@ namespace vdm
 		{
 			static const auto ntoskrnl_get_virtual =
 				util::get_kmodule_export(
-					"ntoskrnl.exe",
-					"MmGetVirtualForPhysical");
+					"ntoskrnl.exe", "MmGetVirtualForPhysical");

-			return this->syscall<MmGetVirtualForPhysical>(
+			return syscall<MmGetVirtualForPhysical>(
 				ntoskrnl_get_virtual, addr);
 		}

 		__forceinline auto kalloc(std::size_t size) -> std::uintptr_t
 		{
 			static const auto mm_allocate = 
-				util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool");
+				util::get_kmodule_export(
+					"ntoskrnl.exe", "ExAllocatePool");

-			return this->syscall<std::uintptr_t(*)
+			return syscall<std::uintptr_t(*)
 				(std::uint8_t, std::size_t)>(mm_allocate, NULL, size);
 		}

 		__forceinline auto get_physical(std::uintptr_t phys_addr) -> std::uintptr_t
 		{
 			static const auto mm_get_physical = 
-				util::get_kmodule_export("ntoskrnl.exe", "MmGetPhysicalAddress");
+				util::get_kmodule_export(
+					"ntoskrnl.exe", "MmGetPhysicalAddress");

-			return this->syscall<std::uintptr_t(*)
+			return syscall<std::uintptr_t(*)
 				(std::uintptr_t)>(mm_get_physical, phys_addr);
 		}

-		__forceinline auto get_current_thread(void) -> PETHREAD
+		__forceinline auto get_pethread(std::uint32_t tid) -> PETHREAD
 		{
-			static const auto ke_get_thread = 
-				util::get_kmodule_export("ntoskrnl.exe", "KeGetCurrentThread");
+			static const auto ps_lookup_thread = 
+				util::get_kmodule_export(
+					"ntoskrnl.exe", "PsLookupThreadByThreadId");

-			return this->syscall<PETHREAD(*)()>(ke_get_thread);
+			PETHREAD result = nullptr;
+			syscall<PsLookupThreadByThreadId>(
+				ps_lookup_thread, (HANDLE)tid, &result);
+			return result;
 		}

 		__forceinline auto readcr3(void) -> std::uintptr_t