IDontCode
/
physmeme
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
merge-requests/1/head
xerox 4 years ago
parent cef765b7af
commit aa2c57feed
1 changed files with 0 additions and 100 deletions
Show Stats Download Patch File Download Diff File

100
README.md
Unescape View File

@ -11,14 +11,6 @@ Before I begin, those who helped me create this project shall be credited.
Given ANY map/unmap (read/write) of physical memory, one can now systematically map unsigned code into ones kernel. Given ANY map/unmap (read/write) of physical memory, one can now systematically map unsigned code into ones kernel.
Many drivers expose this primitive and now can all be exploited by simply coding a few functions. Many drivers expose this primitive and now can all be exploited by simply coding a few functions.
# WARNING
All anti virus softwares must be disabled/uninstalled avast specically... they hook the system service dispatch table with their HV and prevent physmeme from working...
### What versions of windows does this mapper support?
This mapper should work without any issues for pretty much all versions of relevant windows. Tested on windows 10 (1803-1909), but should support all the way back to vista.
### What drivers support physical read/write? ### What drivers support physical read/write?
Any driver exposing MmMapIoSpace/MmUnmapIoSpace or ZwMapViewOfSection/ZwUnmapViewOfSection can be exploited. This means bios flashing utils, fan speed utils Any driver exposing MmMapIoSpace/MmUnmapIoSpace or ZwMapViewOfSection/ZwUnmapViewOfSection can be exploited. This means bios flashing utils, fan speed utils
@ -46,98 +38,6 @@ Less then one second. For each physical memory range I create a thread that maps
In other words... its very fast, you wont need to worry about waiting to find the correct page. In other words... its very fast, you wont need to worry about waiting to find the correct page.
# How to use
There are four functions that need to be altered to make this mapper work for you. I will cover each one by one. These functions are defined inside of a `physmeme.hpp` and need
to stay inside of this file. This allows people to make different `physmeme.hpp` files for each driver they want to abuse. Modular code.
When writing your driver you will need a custom entry point just like every other driver mapper.
### `HANDLE load_drv()`
Load driver must take zero parameters and return a handle to the driver. Here is an example of this:
```cpp
/*
please code this function depending on your method of physical read/write.
*/
HANDLE load_drv()
{
static const auto load_driver_ptr =
reinterpret_cast<__int64(*)()>(
GetProcAddress(LoadLibrary("pmdll64.dll"), "LoadPhyMemDriver"));
if (load_driver_ptr)
load_driver_ptr();
//--- i dont ever use this handle, its just an example of what you should do.
return CreateFileA("\\\\.\\PhyMem", 0xC0000000, 3u, 0i64, 3u, 0x80u, 0i64);
}
```
note: my exploited driver actually came with a dll that exported all the functions.
### `bool unload_drv()`
Unload driver can and should return a bool but its not needed. There is also no need to pass any parameters since the driver handle is global.
```cpp
/*
please code this function depending on your method of physical read/write.
*/
bool unload_drv()
{
static const auto unload_driver_ptr =
reinterpret_cast<__int64(*)()>(
GetProcAddress(LoadLibrary("pmdll64.dll"), "UnloadPhyMemDriver"));
return unload_driver_ptr ? unload_driver_ptr() : false;
}
```
### `std::uintptr_t map_phys(std::uintptr_t addr, std::size_t size)`
This function MUST take two parameters the first is the physical address to be mapped, the second is the size to be mapped. The return
value is the virtual address of the mapping.
```cpp
/*
please code this function depending on your method of physical read/write.
*/
std::uintptr_t map_phys(
std::uintptr_t addr,
std::size_t size
)
{
//--- ensure the validity of the address we are going to try and map
if (!is_valid(addr))
return NULL;
static const auto map_phys_ptr =
reinterpret_cast<__int64(__fastcall*)(__int64, unsigned)>(
GetProcAddress(LoadLibrary("pmdll64.dll"), "MapPhyMem"));
return map_phys_ptr ? map_phys_ptr(addr, size) : false;
}
```
### `bool unmap_phys(std::uintptr_t addr, std::size_t size)`
This function must take the virtual address of the mapping (the address returned from map_phys) and the size that was mapped. If this function is unable to free the memory
you will blue screen because you will run out of ram (happend a few times to me).
```cpp
/*
please code this function depending on your method of physical read/write.
*/
bool unmap_phys(
std::uintptr_t addr,
std::size_t size
)
{
static const auto unmap_phys_ptr =
reinterpret_cast<__int64(*)(__int64, unsigned)>(
GetProcAddress(LoadLibrary("pmdll64.dll"), "UnmapPhyMem"));
return unmap_phys_ptr ? unmap_phys_ptr(addr, size) : false;
}
```
# DriverEntry # DriverEntry
you can change the paremeters you pass to driver entry simply by changing this: you can change the paremeters you pass to driver entry simply by changing this:

Write Preview
Loading…
Cancel
Save