|
|
|
@ -43,22 +43,30 @@ namespace physmeme
|
|
|
|
{
|
|
|
|
{
|
|
|
|
// scan every page of the physical memory range
|
|
|
|
// scan every page of the physical memory range
|
|
|
|
for (auto page = page_va; page < page_va + end; page += 0x1000)
|
|
|
|
for (auto page = page_va; page < page_va + end; page += 0x1000)
|
|
|
|
|
|
|
|
{
|
|
|
|
if (!is_page_found.load()) // keep scanning until its found
|
|
|
|
if (!is_page_found.load()) // keep scanning until its found
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
{
|
|
|
|
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
physmeme::unmap_phys(page_va, end);
|
|
|
|
physmeme::unmap_phys(page_va, end);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
@ -77,21 +85,25 @@ namespace physmeme
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!is_page_found.load())
|
|
|
|
if (!is_page_found.load())
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
physmeme::unmap_phys(page_va, 0x1000 * 512);
|
|
|
|
physmeme::unmap_phys(page_va, 0x1000 * 512);
|
|
|
|
@ -106,21 +118,25 @@ namespace physmeme
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!is_page_found.load())
|
|
|
|
if (!is_page_found.load())
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
__try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
//
|
|
|
|
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
{
|
|
|
|
//
|
|
|
|
//
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
//
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
psyscall_func.store((void*)page);
|
|
|
|
|
|
|
|
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (my_proc_base != my_proc_base_from_syscall)
|
|
|
|
is_page_found.store(true);
|
|
|
|
continue;
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
is_page_found.store(true);
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
physmeme::unmap_phys(page_va, remainder);
|
|
|
|
physmeme::unmap_phys(page_va, remainder);
|
|
|
|
|
xerox
4 years ago