From 96526f8cdefc791419ce0ab3b86aee0f00394975 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 3 Nov 2020 07:28:26 +0000 Subject: [PATCH] Update README.md --- README.md | 40 +++++++++++++++------------------------- 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index d00b705..6b186af 100644 --- a/README.md +++ b/README.md @@ -14,34 +14,24 @@ Link to write up can be found [here](https://back.engineering/post/virtual-memor # example ```cpp -// only time driver needs to be loaded is to init physmeme/kernel_ctx... -nasa::load_drv(); -nasa::kernel_ctx kernel; -if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp)) -std::cout << "[+] flushed PIDDB Cache for physmeme driver..." << std::endl; -nasa::unload_drv(); - -const std::pair my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } }; -std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl; -std::cout << "[+] my base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl; - -nasa::mem_ctx my_proc(kernel, my_proc_data.first); -const auto module_base = my_proc_data.second; - -std::cout << "[+] base address pml4e: " << std::hex << my_proc[module_base.pml4_index].value << std::endl; -std::cout << "[+] base address pdpte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index}].value << std::endl; -std::cout << "[+] base address pde: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index}].value << std::endl; -std::cout << "[+] base address pte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index, module_base.pt_index}].value << std::endl; +vdm::vdm_ctx vdm; +nasa::mem_ctx my_proc(vdm); + +const auto ntoskrnl_base = +reinterpret_cast( + util::get_kmodule_base("ntoskrnl.exe")); + +const auto ntoskrnl_pde = my_proc.get_pde(ntoskrnl_base); +std::printf("[+] pde.present -> %d\n", ntoskrnl_pde.second.present); +std::printf("[+] pde.pfn -> 0x%x\n", ntoskrnl_pde.second.pfn); +std::printf("[+] pde.large_page -> %d\n", ntoskrnl_pde.second.large_page); ``` ``` -[+] flushed PIDDB Cache for physmeme driver... -[+] my pid: 2634 -[+] my base: 00007FF64BBB0000 -[+] base address pml4e: 0xa000000d82b3867 -[+] base address pdpte: 0xa000002df3b4867 -[+] base address pde: 0xa0000016fcb5867 -[+] base address pte: 0x80000001b1185025 +[+] pde.present -> 1 +[+] pde.pfn -> 0x10400 +[+] pde.large_page -> 1 +[+] press any key to close... ``` # table entry manipulation