fixed dbg prints and cleaned some code up.

merge-requests/1/head
xerox 5 years ago
parent 5a71895e8a
commit 169e06a089

@ -28,7 +28,6 @@ For more information, please refer to <http://unlicense.org>
!!!!!!!!!!!!!!!!!!!!!!!!!!! This code was created by not-wlan (wlan). all credit for this header and source file goes to him !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*/
#include <cassert>
#include <fstream>
#include "../drv_image/drv_image.h"
@ -37,10 +36,7 @@ namespace physmeme
drv_image::drv_image(std::vector<uint8_t> image) : m_image(std::move(image))
{
m_dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(m_image.data());
assert(m_dos_header->e_magic == IMAGE_DOS_SIGNATURE);
m_nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS64>((uintptr_t)m_dos_header + m_dos_header->e_lfanew);
assert(m_nt_headers->Signature == IMAGE_NT_SIGNATURE);
assert(m_nt_headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC);
m_section_header = reinterpret_cast<IMAGE_SECTION_HEADER*>((uintptr_t)(&m_nt_headers->OptionalHeader) + m_nt_headers->FileHeader.SizeOfOptionalHeader);
}
@ -66,9 +62,6 @@ namespace physmeme
const auto target = (uintptr_t)m_image_mapped.data() + section.VirtualAddress;
const auto source = (uintptr_t)m_dos_header + section.PointerToRawData;
std::copy_n(m_image.begin() + section.PointerToRawData, section.SizeOfRawData, m_image_mapped.begin() + section.VirtualAddress);
if constexpr(physmeme_debugging)
printf("[+] copying [%s] 0x%p -> 0x%p [0x%04X]\n", &section.Name[0], (void*)source, (void*)target, section.SizeOfRawData);
}
}
@ -134,13 +127,7 @@ namespace physmeme
const bool doRelocations = image_base_delta != 0 && relocation_size > 0;
if (!doRelocations)
{
if constexpr (physmeme_debugging)
printf("[+] no relocations needed\n");
return;
}
assert(relocation_directory != nullptr);
void* relocation_end = reinterpret_cast<uint8_t*>(relocation_directory) + relocation_size;
@ -153,14 +140,8 @@ namespace physmeme
auto relocation_data = reinterpret_cast<PWORD>(relocation_directory + 1);
for (unsigned long i = 0; i < num_relocs; ++i, ++relocation_data)
{
if (process_relocation(image_base_delta, *relocation_data, (uint8_t*)relocation_base) == FALSE)
{
if constexpr (physmeme_debugging)
printf("[+] failed to relocate!");
return;
}
}
relocation_directory = reinterpret_cast<PIMAGE_BASE_RELOCATION>(relocation_data);
}
@ -179,11 +160,7 @@ namespace physmeme
auto import_descriptors = static_cast<PIMAGE_IMPORT_DESCRIPTOR>(::ImageDirectoryEntryToData(m_image.data(), FALSE, IMAGE_DIRECTORY_ENTRY_IMPORT, &size));
if (import_descriptors == nullptr)
{
if constexpr (physmeme_debugging)
printf("[+] no imports!\n");
return;
}
for (; import_descriptors->Name; import_descriptors++)
{
@ -191,10 +168,6 @@ namespace physmeme
const auto module_name = get_rva<char>(import_descriptors->Name);
const auto module_base = get_module(module_name);
assert(module_base != 0);
if constexpr (physmeme_debugging)
printf("[+] processing module: %s [0x%I64X]\n", module_name, module_base);
if (import_descriptors->OriginalFirstThunk)
image_thunk_data = get_rva<IMAGE_THUNK_DATA>(import_descriptors->OriginalFirstThunk);
@ -202,9 +175,6 @@ namespace physmeme
image_thunk_data = get_rva<IMAGE_THUNK_DATA>(import_descriptors->FirstThunk);
auto image_func_data = get_rva<IMAGE_THUNK_DATA64>(import_descriptors->FirstThunk);
assert(image_thunk_data != nullptr);
assert(image_func_data != nullptr);
for (; image_thunk_data->u1.AddressOfData; image_thunk_data++, image_func_data++)
{
uintptr_t function_address;
@ -212,10 +182,6 @@ namespace physmeme
const auto image_import_by_name = get_rva<IMAGE_IMPORT_BY_NAME>(*(DWORD*)image_thunk_data);
const auto name_of_import = static_cast<char*>(image_import_by_name->Name);
function_address = get_function(module_name, name_of_import);
if constexpr (physmeme_debugging)
printf("[+] function: %s [0x%I64X]\n", name_of_import, function_address);
assert(function_address != 0);
image_func_data->u1.Function = function_address;
}
}

@ -19,19 +19,6 @@ namespace physmeme
LoadLibraryA(ntoskrnl_path)
);
if constexpr (physmeme_debugging)
{
printf("[+] page offset of %s is 0x%llx\n", syscall_hook.first.data(), nt_page_offset);
printf("[+] ntoskrnl_buffer: 0x%p\n", ntoskrnl_buffer);
}
if (!ntoskrnl_buffer || !nt_rva)
{
if constexpr (physmeme_debugging)
printf("[!] ntoskrnl_buffer was 0x%p, nt_rva was 0x%p\n", ntoskrnl_buffer, nt_rva);
return;
}
std::vector<std::thread> search_threads;
//--- for each physical memory range, make a thread to search it
for (auto ranges : util::pmem_ranges)
@ -44,9 +31,6 @@ namespace physmeme
for (std::thread& search_thread : search_threads)
search_thread.join();
if constexpr (physmeme_debugging)
printf("[+] psyscall_func: 0x%p\n", psyscall_func.load());
}
void kernel_ctx::map_syscall(std::uintptr_t begin, std::uintptr_t end) const

@ -7,10 +7,6 @@
namespace physmeme
{
/*
Author: xerox
Date: 4/19/2020
*/
bool __cdecl map_driver(std::vector<std::uint8_t>& raw_driver)
{
physmeme::drv_image image(raw_driver);
@ -21,18 +17,6 @@ namespace physmeme
//
physmeme::unload_drv();
//
// allocate memory in the kernel for the driver
//
const auto pool_base = ctx.allocate_pool(image.size(), NonPagedPool);
printf("[+] allocated 0x%llx at 0x%p\n", image.size(), pool_base);
if (!pool_base)
{
printf("[!] allocation failed!\n");
return -1;
}
//
// lambdas used for fixing driver image
//
@ -50,13 +34,21 @@ namespace physmeme
// fix the driver image
//
image.fix_imports(_get_module, _get_export_name);
printf("[+] fixed imports\n");
image.map();
printf("[+] sections mapped in memory\n");
//
// allocate memory in the kernel for the driver
//
const auto pool_base =
ctx.allocate_pool(
image.size(),
NonPagedPool
);
if (!pool_base)
return -1;
image.relocate(pool_base);
printf("[+] relocations fixed\n");
//
// copy driver into the kernel
@ -76,7 +68,6 @@ namespace physmeme
reinterpret_cast<std::uintptr_t>(pool_base),
image.size()
);
printf("[+] driver entry returned: 0x%p\n", result);
//
// zero driver headers

@ -1,11 +0,0 @@
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.pdb
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\map_driver.obj
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\kernel_ctx.obj
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\drv_image.obj
c:\users\interesting\desktop\physmeme-master\x64\release\physmeme-lib.lib
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\cl.command.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\cl.read.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\cl.write.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\lib-link.read.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\lib-link.write.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme-lib\x64\release\physmeme-lib.tlog\lib.command.1.tlog

@ -1,4 +0,0 @@
 drv_image.cpp
kernel_ctx.cpp
map_driver.cpp
physmeme-lib.vcxproj -> C:\Users\interesting\Desktop\physmeme-master\x64\Release\physmeme-lib.lib

@ -1,2 +0,0 @@
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.25.28610:TargetPlatformVersion=10.0.18362.0:
Release|x64|C:\Users\interesting\Desktop\physmeme-master\|

@ -28,7 +28,6 @@ For more information, please refer to <http://unlicense.org>
!!!!!!!!!!!!!!!!!!!!!!!!!!! This code was created by not-wlan (wlan). all credit for this header and source file goes to him !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*/
#include <cassert>
#include <fstream>
#include "../drv_image/drv_image.h"
@ -37,10 +36,7 @@ namespace physmeme
drv_image::drv_image(std::vector<uint8_t> image) : m_image(std::move(image))
{
m_dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(m_image.data());
assert(m_dos_header->e_magic == IMAGE_DOS_SIGNATURE);
m_nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS64>((uintptr_t)m_dos_header + m_dos_header->e_lfanew);
assert(m_nt_headers->Signature == IMAGE_NT_SIGNATURE);
assert(m_nt_headers->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC);
m_section_header = reinterpret_cast<IMAGE_SECTION_HEADER*>((uintptr_t)(&m_nt_headers->OptionalHeader) + m_nt_headers->FileHeader.SizeOfOptionalHeader);
}
@ -66,8 +62,6 @@ namespace physmeme
const auto target = (uintptr_t)m_image_mapped.data() + section.VirtualAddress;
const auto source = (uintptr_t)m_dos_header + section.PointerToRawData;
std::copy_n(m_image.begin() + section.PointerToRawData, section.SizeOfRawData, m_image_mapped.begin() + section.VirtualAddress);
if constexpr(physmeme_debugging)
printf("[+] copying [%s] 0x%p -> 0x%p [0x%04X]\n", &section.Name[0], (void*)source, (void*)target, section.SizeOfRawData);
}
}
@ -135,13 +129,10 @@ namespace physmeme
if (!doRelocations)
{
if constexpr (physmeme_debugging)
printf("[+] no relocations needed\n");
return;
}
assert(relocation_directory != nullptr);
void* relocation_end = reinterpret_cast<uint8_t*>(relocation_directory) + relocation_size;
while (relocation_directory < relocation_end)
@ -156,7 +147,6 @@ namespace physmeme
{
if (process_relocation(image_base_delta, *relocation_data, (uint8_t*)relocation_base) == FALSE)
{
if constexpr (physmeme_debugging)
printf("[+] failed to relocate!");
return;
}
@ -180,7 +170,6 @@ namespace physmeme
if (import_descriptors == nullptr)
{
if constexpr (physmeme_debugging)
printf("[+] no imports!\n");
return;
}
@ -191,9 +180,6 @@ namespace physmeme
const auto module_name = get_rva<char>(import_descriptors->Name);
const auto module_base = get_module(module_name);
assert(module_base != 0);
if constexpr (physmeme_debugging)
printf("[+] processing module: %s [0x%I64X]\n", module_name, module_base);
if (import_descriptors->OriginalFirstThunk)
@ -201,9 +187,7 @@ namespace physmeme
else
image_thunk_data = get_rva<IMAGE_THUNK_DATA>(import_descriptors->FirstThunk);
auto image_func_data = get_rva<IMAGE_THUNK_DATA64>(import_descriptors->FirstThunk);
assert(image_thunk_data != nullptr);
assert(image_func_data != nullptr);
;
for (; image_thunk_data->u1.AddressOfData; image_thunk_data++, image_func_data++)
{
@ -213,9 +197,7 @@ namespace physmeme
const auto name_of_import = static_cast<char*>(image_import_by_name->Name);
function_address = get_function(module_name, name_of_import);
if constexpr (physmeme_debugging)
printf("[+] function: %s [0x%I64X]\n", name_of_import, function_address);
assert(function_address != 0);
image_func_data->u1.Function = function_address;
}
}

@ -19,33 +19,13 @@ namespace physmeme
LoadLibraryA(ntoskrnl_path)
);
if constexpr (physmeme_debugging)
{
printf("[+] page offset of %s is 0x%llx\n", syscall_hook.first.data(), nt_page_offset);
printf("[+] ntoskrnl_buffer: 0x%p\n", ntoskrnl_buffer);
}
if (!ntoskrnl_buffer || !nt_rva)
{
if constexpr (physmeme_debugging)
printf("[!] ntoskrnl_buffer was 0x%p, nt_rva was 0x%p\n", ntoskrnl_buffer, nt_rva);
return;
}
std::vector<std::thread> search_threads;
//--- for each physical memory range, make a thread to search it
for (auto ranges : util::pmem_ranges)
search_threads.emplace_back(std::thread(
&kernel_ctx::map_syscall,
this,
ranges.first,
ranges.second
));
for (std::thread& search_thread : search_threads)
search_thread.join();
map_syscall(ranges.first, ranges.second);
if constexpr (physmeme_debugging)
printf("[+] psyscall_func: 0x%p\n", psyscall_func.load());
}

@ -26,18 +26,6 @@ int __cdecl main(int argc, char** argv)
//
physmeme::unload_drv();
//
// allocate memory in the kernel for the driver
//
const auto pool_base = ctx.allocate_pool(image.size(), NonPagedPool);
printf("[+] allocated 0x%llx at 0x%p\n", image.size(), pool_base);
if (!pool_base)
{
printf("[!] allocation failed!\n");
return -1;
}
//
// lambdas used for fixing driver image
//
@ -60,6 +48,18 @@ int __cdecl main(int argc, char** argv)
image.map();
printf("[+] sections mapped in memory\n");
//
// allocate memory in the kernel for the driver
//
const auto pool_base = ctx.allocate_pool(image.size(), NonPagedPool);
printf("[+] allocated 0x%llx at 0x%p\n", image.size(), pool_base);
if (!pool_base)
{
printf("[!] allocation failed!\n");
return -1;
}
image.relocate(pool_base);
printf("[+] relocations fixed\n");

@ -9,7 +9,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>C:\Users\interesting\Desktop\hello-world.sys</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>C:\Users\xerox\Desktop\physmeme\x64\Debug\hello-world.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

@ -3,7 +3,6 @@
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
constexpr bool physmeme_debugging = true;
constexpr auto ntoskrnl_path = "C:\\Windows\\System32\\ntoskrnl.exe";
constexpr auto page_size = 0x1000;

Binary file not shown.

@ -1,15 +0,0 @@
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\vc142.pdb
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\main.obj
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\kernel_ctx.obj
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\drv_image.obj
c:\users\interesting\desktop\physmeme-master\x64\release\physmeme.exe
c:\users\interesting\desktop\physmeme-master\x64\release\physmeme.pdb
c:\users\interesting\desktop\physmeme-master\x64\release\physmeme.ipdb
c:\users\interesting\desktop\physmeme-master\x64\release\physmeme.iobj
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\cl.command.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\cl.read.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\cl.write.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\link.command.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\link.read.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\link.write.1.tlog
c:\users\interesting\desktop\physmeme-master\physmeme\x64\release\physmeme.tlog\physmeme.write.1u.tlog

@ -1,8 +0,0 @@
 drv_image.cpp
kernel_ctx.cpp
main.cpp
Generating code
Compiler switch has changed, fall back to full compilation.
All 684 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
Finished generating code
physmeme.vcxproj -> C:\Users\interesting\Desktop\physmeme-master\x64\Release\physmeme.exe

@ -1,2 +0,0 @@
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.25.28610:TargetPlatformVersion=10.0.18362.0:
Release|x64|C:\Users\interesting\Desktop\physmeme-master\|

Binary file not shown.
Loading…
Cancel
Save