diff --git a/physmeme-lib/kernel_ctx/kernel_ctx.cpp b/physmeme-lib/kernel_ctx/kernel_ctx.cpp index bff33f3..a322c2d 100644 --- a/physmeme-lib/kernel_ctx/kernel_ctx.cpp +++ b/physmeme-lib/kernel_ctx/kernel_ctx.cpp @@ -43,22 +43,30 @@ namespace physmeme { // scan every page of the physical memory range for (auto page = page_va; page < page_va + end; page += 0x1000) + { if (!is_page_found.load()) // keep scanning until its found - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} + } + } physmeme::unmap_phys(page_va, end); } } @@ -77,21 +85,25 @@ namespace physmeme { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } physmeme::unmap_phys(page_va, 0x1000 * 512); @@ -106,21 +118,25 @@ namespace physmeme { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } physmeme::unmap_phys(page_va, remainder); diff --git a/physmeme/kernel_ctx/kernel_ctx.cpp b/physmeme/kernel_ctx/kernel_ctx.cpp index af193b3..4f05dd9 100644 --- a/physmeme/kernel_ctx/kernel_ctx.cpp +++ b/physmeme/kernel_ctx/kernel_ctx.cpp @@ -43,22 +43,30 @@ namespace physmeme { // scan every page of the physical memory range for (auto page = page_va; page < page_va + end; page += 0x1000) + { if (!is_page_found.load()) // keep scanning until its found - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} + } + } physmeme::unmap_phys(page_va, end); } } @@ -77,21 +85,25 @@ namespace physmeme { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } physmeme::unmap_phys(page_va, 0x1000 * 512); @@ -106,21 +118,25 @@ namespace physmeme { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } physmeme::unmap_phys(page_va, remainder);