added WriteProcessMemory fix..

pclone/main.cpp

@@ -2,6 +2,7 @@
 #include "mem_ctx/mem_ctx.hpp"
 #include "pclone_ctx/pclone_ctx.hpp"
 #include "set_mgr/set_mgr.hpp"
+#include "vad/vad.hpp"
 
 int __cdecl main(int argc, char** argv)
 {
@@ -35,12 +36,10 @@ int __cdecl main(int argc, char** argv)
 	vdm::vdm_ctx vdm(_read_phys, _write_phys);
 	nasa::mem_ctx my_proc(vdm);
 
+	// shoot the tires off the working set manager thread...
 	const auto set_mgr_pethread = set_mgr::get_setmgr_pethread(vdm);
 	const auto result = set_mgr::stop_setmgr(vdm, set_mgr_pethread);
 
-	std::printf("[+] set manager pethread -> 0x%p\n", set_mgr_pethread);
-	std::printf("[+] result -> 0x%x\n", result);
-
 	// read physical memory via paging tables and not with the driver...
 	_read_phys = [&my_proc](void* addr, void* buffer, std::size_t size) -> bool
 	{
@@ -66,6 +65,14 @@ int __cdecl main(int argc, char** argv)
 	nasa::pclone_ctx clone_ctx(&target_proc);
 	const auto [clone_pid, clone_handle] = clone_ctx.clone();
 
+	const auto clone_peproc = 
+		vdm.get_peprocess(clone_pid);
+
+	const auto clone_vad = 
+		vad::get_vad_root(vdm, vdm.get_peprocess(std::atoi(argv[2])));
+
+	vad::set_vad_root(vdm, clone_peproc, clone_vad);
+
 	unsigned short mz = 0u;
 	std::size_t bytes_read;
 	ReadProcessMemory(clone_handle, GetModuleHandleA("ntdll.dll"), &mz, sizeof mz, &bytes_read);

pclone/pclone.vcxproj

@@ -87,6 +87,7 @@
     <ClCompile Include="mem_ctx\mem_ctx.cpp" />
     <ClCompile Include="pclone_ctx\pclone_ctx.cpp" />
     <ClCompile Include="set_mgr\set_mgr.cpp" />
+    <ClCompile Include="vad\vad.cpp" />
     <ClCompile Include="vdm_ctx\vdm_ctx.cpp" />
   </ItemGroup>
   <ItemGroup>
@@ -96,6 +97,7 @@
     <ClInclude Include="util\loadup.hpp" />
     <ClInclude Include="util\nt.hpp" />
     <ClInclude Include="util\util.hpp" />
+    <ClInclude Include="vad\vad.hpp" />
     <ClInclude Include="vdm\raw_driver.hpp" />
     <ClInclude Include="vdm\vdm.hpp" />
     <ClInclude Include="vdm_ctx\vdm_ctx.hpp" />

pclone/pclone.vcxproj.filters

@@ -32,6 +32,9 @@
     <ClCompile Include="set_mgr\set_mgr.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="vad\vad.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="vdm\raw_driver.hpp">
@@ -61,6 +64,9 @@
     <ClInclude Include="set_mgr\set_mgr.hpp">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="vad\vad.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="icon.rc">

pclone/vad/vad.cpp

@@ -0,0 +1,30 @@
+#include "vad.hpp"
+
+namespace vad
+{
+	auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t
+	{
+		const auto [um_addr, base_offset] =
+			util::memory::sig_scan(VAD_OFFSET_SIG, VAD_OFFSET_MASK);
+
+		return *reinterpret_cast<std::uint32_t*>(um_addr + 3);
+	}
+
+	auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t
+	{
+		static const auto vad_offset = 
+			vad::get_vad_offset(v_ctx);
+
+		return v_ctx.rkm<std::uintptr_t>(
+			reinterpret_cast<std::uintptr_t>(process) + vad_offset);
+	}
+
+	auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void
+	{
+		static const auto vad_offset =
+			vad::get_vad_offset(v_ctx);
+
+		v_ctx.wkm<std::uintptr_t>(
+			reinterpret_cast<std::uintptr_t>(process) + vad_offset, vad_root);
+	}
+}

pclone/vad/vad.hpp

@@ -0,0 +1,11 @@
+#include "../vdm_ctx/vdm_ctx.hpp"
+
+#define VAD_OFFSET_SIG "\x48\x8B\x00\x00\x00\x00\x00\x48\xC1\xEB\x0C\xEB"
+#define VAD_OFFSET_MASK "xx?????xxxxx"
+
+namespace vad
+{
+	auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t;
+	auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t;
+	auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void;
+}