From fb92ede46c5938097f54a7f09c25994bfe1421e6 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sat, 5 Dec 2020 15:54:02 -0800 Subject: [PATCH] idk what i added but its done --- hyperspace/hyper_ctx/hyper_ctx.cpp | 52 +++++++++++++++++++++++------- hyperspace/hyper_ctx/hyper_ctx.hpp | 6 ++-- hyperspace/main.cpp | 8 +++-- hyperspace/util/nt.hpp | 5 +++ hyperspace/vdm_ctx/vdm_ctx.hpp | 37 ++++++++++----------- 5 files changed, 72 insertions(+), 36 deletions(-) diff --git a/hyperspace/hyper_ctx/hyper_ctx.cpp b/hyperspace/hyper_ctx/hyper_ctx.cpp index a2644bb..c7a73ac 100644 --- a/hyperspace/hyper_ctx/hyper_ctx.cpp +++ b/hyperspace/hyper_ctx/hyper_ctx.cpp @@ -18,13 +18,30 @@ namespace hyperspace hyperspace_context.second = v_ctx->get_physical(this->hyperspace_context.first); - v_ctx->wkm(reinterpret_cast(this->hyperspace_context.first), - reinterpret_cast(this->orig_context.first), PAGE_4KB); + v_ctx->wkm(reinterpret_cast( + this->hyperspace_context.first), + reinterpret_cast( + this->orig_context.first), PAGE_4KB); // make a new kprocess 1:1 with the target process... orig_peproc = v_ctx->get_peprocess(target_ctx->pid); clone_peproc = reinterpret_cast(v_ctx->kalloc(PAGE_4KB)); - v_ctx->wkm(clone_peproc, orig_peproc, PAGE_4KB); + + // usually PEPROCESS's are 0x80 into a page... + // there is some structure above an EPROCESS i do not know what it is + // but there is indeed one there so we are gunna copy that bitch! + const auto orig_peproc_page = + (reinterpret_cast(orig_peproc) >> 12) << 12; + + // offset into the page where the actual eprocess begins... + const auto clone_peproc_offset = + reinterpret_cast(orig_peproc) & (ULONG64)0xFFF; + + v_ctx->wkm(clone_peproc, + reinterpret_cast(orig_peproc_page), PAGE_4KB); + + clone_peproc = reinterpret_cast( + reinterpret_cast(clone_peproc) + clone_peproc_offset); // 1: kd > dt !_KPROCESS // nt!_KPROCESS @@ -34,26 +51,37 @@ namespace hyperspace const auto dirbase_ptr = reinterpret_cast(clone_peproc) + KPROCESS_DIRBASE_OFFSET; - v_ctx->wkm(dirbase_ptr, hyperspace_context.second); + v_ctx->wkm( + dirbase_ptr, hyperspace_context.second); } - auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> void + auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> std::pair { - const auto current_thread = + const auto pethread = reinterpret_cast( - v_ctx->get_current_thread()); + v_ctx->get_pethread(tid)); + if (!pethread) + return { {}, {} }; + v_ctx->wkm( - current_thread + KTHREAD_PKPROCESS_OFFSET, clone_peproc); + pethread + KTHREAD_PKPROCESS_OFFSET, clone_peproc); + + return { true, reinterpret_cast(pethread) }; } - auto hyper_ctx::hyper_ret(std::uint32_t tid) -> void + auto hyper_ctx::hyper_ret(std::uint32_t tid) -> std::pair { - const auto current_thread = + const auto pethread = reinterpret_cast( - v_ctx->get_current_thread()); + v_ctx->get_pethread(tid)); + + if (!pethread) + return { {}, {} }; v_ctx->wkm( - current_thread + KTHREAD_PKPROCESS_OFFSET, orig_peproc); + pethread + KTHREAD_PKPROCESS_OFFSET, orig_peproc); + + return { true, reinterpret_cast(pethread) }; } } \ No newline at end of file diff --git a/hyperspace/hyper_ctx/hyper_ctx.hpp b/hyperspace/hyper_ctx/hyper_ctx.hpp index 8f5818b..a4aaa67 100644 --- a/hyperspace/hyper_ctx/hyper_ctx.hpp +++ b/hyperspace/hyper_ctx/hyper_ctx.hpp @@ -4,6 +4,7 @@ // on windows 10 you should be alright... #define KTHREAD_PKPROCESS_OFFSET 0xB8 #define KPROCESS_DIRBASE_OFFSET 0x28 +#define KPROCESS_THREAD_LIST_OFFSET 0x30 namespace hyperspace { @@ -16,10 +17,9 @@ namespace hyperspace ptm::ptm_ctx* target_ctx; std::pair hyperspace_context, orig_context; PEPROCESS clone_peproc, orig_peproc; - public: explicit hyper_ctx(ptm::ptm_ctx* target_ctx); - auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> void; - auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> void; + auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> std::pair; + auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> std::pair; }; } \ No newline at end of file diff --git a/hyperspace/main.cpp b/hyperspace/main.cpp index d70ff89..1823e45 100644 --- a/hyperspace/main.cpp +++ b/hyperspace/main.cpp @@ -39,12 +39,14 @@ int __cdecl main(int argc, char** argv) return -1; } - _read_phys = [&](void* addr, void* buffer, std::size_t size) -> bool + _read_phys = + [&](void* addr, void* buffer, std::size_t size) -> bool { return my_proc.read_phys(buffer, addr, size); }; - _write_phys = [&](void* addr, void* buffer, std::size_t size) -> bool + _write_phys = + [&](void* addr, void* buffer, std::size_t size) -> bool { return my_proc.write_phys(buffer, addr, size); }; @@ -56,7 +58,7 @@ int __cdecl main(int argc, char** argv) hyperspace.hyper_jmp(); { for (auto idx = 0u; idx < 10; ++idx) - std::printf("[+] hyperspace cr3 -> 0x%p\n", vdm.readcr3()); + std::printf("[+] (old thread) hyperspace cr3 -> 0x%p\n", vdm.readcr3()); } hyperspace.hyper_ret(); std::printf("[+] press any key to close...\n"); diff --git a/hyperspace/util/nt.hpp b/hyperspace/util/nt.hpp index bd1fb8c..1da9903 100644 --- a/hyperspace/util/nt.hpp +++ b/hyperspace/util/nt.hpp @@ -61,6 +61,11 @@ using PsLookupProcessByProcessId = NTSTATUS (__fastcall*)( PEPROCESS* Process ); +using PsLookupThreadByThreadId = NTSTATUS(__fastcall*)( + HANDLE ThreadId, + PETHREAD* Thread +); + using MmCopyMemory = NTSTATUS(__stdcall*)( PVOID, MM_COPY_ADDRESS, diff --git a/hyperspace/vdm_ctx/vdm_ctx.hpp b/hyperspace/vdm_ctx/vdm_ctx.hpp index 35ce3e0..8a2637d 100644 --- a/hyperspace/vdm_ctx/vdm_ctx.hpp +++ b/hyperspace/vdm_ctx/vdm_ctx.hpp @@ -83,15 +83,11 @@ namespace vdm { static const auto ps_lookup_peproc = util::get_kmodule_export( - "ntoskrnl.exe", - "PsLookupProcessByProcessId"); + "ntoskrnl.exe", "PsLookupProcessByProcessId"); PEPROCESS peproc = nullptr; - this->syscall( - ps_lookup_peproc, - (HANDLE)pid, - &peproc - ); + syscall( + ps_lookup_peproc, (HANDLE)pid, &peproc); return peproc; } @@ -99,37 +95,42 @@ namespace vdm { static const auto ntoskrnl_get_virtual = util::get_kmodule_export( - "ntoskrnl.exe", - "MmGetVirtualForPhysical"); + "ntoskrnl.exe", "MmGetVirtualForPhysical"); - return this->syscall( + return syscall( ntoskrnl_get_virtual, addr); } __forceinline auto kalloc(std::size_t size) -> std::uintptr_t { static const auto mm_allocate = - util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool"); + util::get_kmodule_export( + "ntoskrnl.exe", "ExAllocatePool"); - return this->syscall(mm_allocate, NULL, size); } __forceinline auto get_physical(std::uintptr_t phys_addr) -> std::uintptr_t { static const auto mm_get_physical = - util::get_kmodule_export("ntoskrnl.exe", "MmGetPhysicalAddress"); + util::get_kmodule_export( + "ntoskrnl.exe", "MmGetPhysicalAddress"); - return this->syscall(mm_get_physical, phys_addr); } - __forceinline auto get_current_thread(void) -> PETHREAD + __forceinline auto get_pethread(std::uint32_t tid) -> PETHREAD { - static const auto ke_get_thread = - util::get_kmodule_export("ntoskrnl.exe", "KeGetCurrentThread"); + static const auto ps_lookup_thread = + util::get_kmodule_export( + "ntoskrnl.exe", "PsLookupThreadByThreadId"); - return this->syscall(ke_get_thread); + PETHREAD result = nullptr; + syscall( + ps_lookup_thread, (HANDLE)tid, &result); + return result; } __forceinline auto readcr3(void) -> std::uintptr_t