From bd6e4b598e58cc24ccd400fbaff63e5a97c7c2ca Mon Sep 17 00:00:00 2001 From: xerox Date: Tue, 25 Aug 2020 09:24:37 +0000 Subject: [PATCH] Update README.md --- README.md | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2bf31b4..f3d005d 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,49 @@ paging table manipulation from user-mode. operations such as getting and setting Please disable spectra/meltdown since this patch creates two sets of PML4's per process (which i dont support). Link to write up can be found [here](https://back.engineering/post/virtual-memory/). +# example + +```cpp +#include +#include "kernel_ctx/kernel_ctx.h" +#include "mem_ctx/mem_ctx.hpp" + +int __cdecl main(int argc, char** argv) +{ + // only time driver needs to be loaded is to init physmeme/kernel_ctx... + nasa::load_drv(); + nasa::kernel_ctx kernel; + if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp)) + std::cout << "[+] flushed PIDDB Cache for physmeme driver..." << std::endl; + nasa::unload_drv(); + + const std::pair my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } }; + std::cout << "[+] my pid: " << std::hex << my_proc_data.first << std::endl; + std::cout << "[+] my base: " << std::showbase << std::hex << my_proc_data.second.value << std::endl; + + nasa::mem_ctx my_proc(kernel, my_proc_data.first); + const auto module_base = my_proc_data.second; + + std::cout << "[+] base address pml4e: " << std::hex << my_proc[module_base.pml4_index].value << std::endl; + std::cout << "[+] base address pdpte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index}].value << std::endl; + std::cout << "[+] base address pde: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index}].value << std::endl; + std::cout << "[+] base address pte: " << std::hex << my_proc[{module_base.pml4_index, module_base.pdpt_index, module_base.pd_index, module_base.pt_index}].value << std::endl; + std::cin.get(); +} +``` + +result: + +``` +[+] flushed PIDDB Cache for physmeme driver... +[+] my pid: 2634 +[+] my base: 00007FF64BBB0000 +[+] base address pml4e: 0xa000000d82b3867 +[+] base address pdpte: 0xa000002df3b4867 +[+] base address pde: 0xa0000016fcb5867 +[+] base address pte: 0x80000001b1185025 +``` + # table entry manipulation - get/set pml4e's - get/set pdpte's @@ -24,4 +67,10 @@ Link to write up can be found [here](https://back.engineering/post/virtual-memor # virtual memory - convert virtual addresses to physical addresses - get table entries for a given address -- change table entries for a given address \ No newline at end of file +- change table entries for a given address + +# limitations + +- please disable spectre/meltdown! +- please uninstall avast! (they destory physmeme!) +- this code may not work for AMD! \ No newline at end of file