working in vm... testing on metal..

merge-requests/1/head
_xeroxz 4 years ago
parent e011f67935
commit 88a6dcf42c

@ -19,35 +19,27 @@ int __cdecl main(int argc, char** argv)
std::printf("NtShutdownSystem -> 0x%p\n", utils::kmodule::get_export("ntoskrnl.exe", "NtShutdownSystem")); std::printf("NtShutdownSystem -> 0x%p\n", utils::kmodule::get_export("ntoskrnl.exe", "NtShutdownSystem"));
writemsr_t _write_msr = writemsr_t _write_msr =
[&](std::uint32_t reg, std::uintptr_t value) -> void [&](std::uint32_t reg, std::uintptr_t value) -> bool
{ {
// put your code here to write MSR.... // put your code here to write MSR....
// the code is defined in vdm::writemsr for me... // the code is defined in vdm::writemsr for me...
vdm::writemsr(reg, value); return vdm::writemsr(reg, value);
}; };
const auto ex_alloc_pool = vdm::msrexec_ctx msrexec(_write_msr);
reinterpret_cast<ex_alloc_pool_t>( msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void
utils::kmodule::get_export( {
"ntoskrnl.exe", "ExAllocatePool"));
const auto dbg_print = const auto dbg_print =
reinterpret_cast<dbg_print_t>( reinterpret_cast<dbg_print_t>(
utils::kmodule::get_export( get_kroutine(krnl_base, "DbgPrint"));
"ntoskrnl.exe", "DbgPrint"));
vdm::msrexec_ctx msrexec(_write_msr); const auto ex_alloc_pool =
std::printf("press enter to run 100 syscall tests...\n"); reinterpret_cast<ex_alloc_pool_t>(
std::getchar(); get_kroutine(krnl_base, "ExAllocatePool"));
for (auto idx = 0u; idx < 100; ++idx) dbg_print("> allocated pool -> 0x%p\n", ex_alloc_pool(NULL, 0x1000));
{ dbg_print("> cr4 -> 0x%p\n", __readcr4());
msrexec.exec([&ex_alloc_pool, &dbg_print]() -> void
{
dbg_print("> allocated pool -> 0x%p\n",
ex_alloc_pool(NULL, 0x1000));
}); });
}
const auto unload_result = const auto unload_result =
vdm::unload_drv(drv_handle, drv_key); vdm::unload_drv(drv_handle, drv_key);

@ -29,34 +29,17 @@ namespace vdm
cpuid_eax_07 cpuid_features; cpuid_eax_07 cpuid_features;
__cpuid((int*)&cpuid_features, 7); __cpuid((int*)&cpuid_features, 7);
// if i dont set a bit, it means its 0...
cr4 cr4_value{}; cr4 cr4_value{};
cr4_value.debugging_extensions = true; cr4_value.debugging_extensions = true;
cr4_value.page_size_extensions = true; cr4_value.page_size_extensions = true;
cr4_value.machine_check_enable = true; cr4_value.machine_check_enable = true;
// however the system can still *not* have PAE enabled
// but i assume if its supported, windows will use it...
// if you find out otherwise please email: _xeroxz@back.engineer...
cr4_value.physical_address_extension = cr4_value.physical_address_extension =
cpuid_info.cpuid_feature_information_edx.physical_address_extension; cpuid_info.cpuid_feature_information_edx.physical_address_extension;
// again the system can still *not* have PGE enabled
// but i assume if its supported, windows will use it...
// if you find out otherwise please email: _xeroxz@back.engineer...
cr4_value.page_global_enable =
cpuid_info.cpuid_feature_information_edx.page_global_bit;
// again the system can still *not* have FXSAVE/FXRSTOR enabled
// but i assume if its supported, windows will use it...
// if you find out otherwise please email: _xeroxz@back.engineer...
cr4_value.os_fxsave_fxrstor_support = cr4_value.os_fxsave_fxrstor_support =
cpuid_info.cpuid_feature_information_edx.fxsave_fxrstor_instructions; cpuid_info.cpuid_feature_information_edx.fxsave_fxrstor_instructions;
// windows has this bit high on my VM so I
// assume windows can handle these exceptions...
// if you find out otherwise please email: _xeroxz@back.engineer...
cr4_value.os_xmm_exception_support = true; cr4_value.os_xmm_exception_support = true;
cr4_value.fsgsbase_enable = cr4_value.fsgsbase_enable =
@ -65,6 +48,10 @@ namespace vdm
cr4_value.os_xsave = cr4_value.os_xsave =
IsProcessorFeaturePresent(PF_XSAVE_ENABLED); IsProcessorFeaturePresent(PF_XSAVE_ENABLED);
cr4_value.pcid_enable =
cpuid_info.cpuid_feature_information_ecx
.process_context_identifiers;
m_smep_off.flags = cr4_value.flags; m_smep_off.flags = cr4_value.flags;
m_smep_off.smep_enable = false; m_smep_off.smep_enable = false;

@ -17,9 +17,6 @@
<ClInclude Include="raw_driver.hpp"> <ClInclude Include="raw_driver.hpp">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="syscall_handler.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="utils.hpp"> <ClInclude Include="utils.hpp">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
@ -32,6 +29,9 @@
<ClInclude Include="ia32.hpp"> <ClInclude Include="ia32.hpp">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="syscall_handler.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="main.cpp"> <ClCompile Include="main.cpp">

@ -0,0 +1,14 @@
#pragma once
#include "ia32.hpp"
extern "C" std::uint32_t m_kpcr_rsp_offset;
extern "C" std::uint32_t m_kpcr_krsp_offset;
extern "C" std::uintptr_t m_pop_rcx_gadget;
extern "C" std::uintptr_t m_mov_cr4_gadget;
extern "C" std::uintptr_t m_sysret_gadget;
extern "C" cr4 m_smep_on;
extern "C" cr4 m_smep_off;
extern "C" std::uintptr_t m_system_call;
extern "C" void syscall_wrapper(...);
Loading…
Cancel
Save