idk what i added but its done

master
_xeroxz 4 years ago
parent 0a6b262243
commit fb92ede46c

@ -18,13 +18,30 @@ namespace hyperspace
hyperspace_context.second = hyperspace_context.second =
v_ctx->get_physical(this->hyperspace_context.first); v_ctx->get_physical(this->hyperspace_context.first);
v_ctx->wkm(reinterpret_cast<void*>(this->hyperspace_context.first), v_ctx->wkm(reinterpret_cast<void*>(
reinterpret_cast<void*>(this->orig_context.first), PAGE_4KB); this->hyperspace_context.first),
reinterpret_cast<void*>(
this->orig_context.first), PAGE_4KB);
// make a new kprocess 1:1 with the target process... // make a new kprocess 1:1 with the target process...
orig_peproc = v_ctx->get_peprocess(target_ctx->pid); orig_peproc = v_ctx->get_peprocess(target_ctx->pid);
clone_peproc = reinterpret_cast<PEPROCESS>(v_ctx->kalloc(PAGE_4KB)); clone_peproc = reinterpret_cast<PEPROCESS>(v_ctx->kalloc(PAGE_4KB));
v_ctx->wkm(clone_peproc, orig_peproc, PAGE_4KB);
// usually PEPROCESS's are 0x80 into a page...
// there is some structure above an EPROCESS i do not know what it is
// but there is indeed one there so we are gunna copy that bitch!
const auto orig_peproc_page =
(reinterpret_cast<std::uintptr_t>(orig_peproc) >> 12) << 12;
// offset into the page where the actual eprocess begins...
const auto clone_peproc_offset =
reinterpret_cast<std::uintptr_t>(orig_peproc) & (ULONG64)0xFFF;
v_ctx->wkm(clone_peproc,
reinterpret_cast<void*>(orig_peproc_page), PAGE_4KB);
clone_peproc = reinterpret_cast<PEPROCESS>(
reinterpret_cast<std::uintptr_t>(clone_peproc) + clone_peproc_offset);
// 1: kd > dt !_KPROCESS // 1: kd > dt !_KPROCESS
// nt!_KPROCESS // nt!_KPROCESS
@ -34,26 +51,37 @@ namespace hyperspace
const auto dirbase_ptr = const auto dirbase_ptr =
reinterpret_cast<std::uintptr_t>(clone_peproc) + KPROCESS_DIRBASE_OFFSET; reinterpret_cast<std::uintptr_t>(clone_peproc) + KPROCESS_DIRBASE_OFFSET;
v_ctx->wkm<std::uintptr_t>(dirbase_ptr, hyperspace_context.second); v_ctx->wkm<std::uintptr_t>(
dirbase_ptr, hyperspace_context.second);
} }
auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> void auto hyper_ctx::hyper_jmp(std::uint32_t tid) -> std::pair<bool, PETHREAD>
{ {
const auto current_thread = const auto pethread =
reinterpret_cast<std::uintptr_t>( reinterpret_cast<std::uintptr_t>(
v_ctx->get_current_thread()); v_ctx->get_pethread(tid));
if (!pethread)
return { {}, {} };
v_ctx->wkm<PEPROCESS>( v_ctx->wkm<PEPROCESS>(
current_thread + KTHREAD_PKPROCESS_OFFSET, clone_peproc); pethread + KTHREAD_PKPROCESS_OFFSET, clone_peproc);
return { true, reinterpret_cast<PETHREAD>(pethread) };
} }
auto hyper_ctx::hyper_ret(std::uint32_t tid) -> void auto hyper_ctx::hyper_ret(std::uint32_t tid) -> std::pair<bool, PETHREAD>
{ {
const auto current_thread = const auto pethread =
reinterpret_cast<std::uintptr_t>( reinterpret_cast<std::uintptr_t>(
v_ctx->get_current_thread()); v_ctx->get_pethread(tid));
if (!pethread)
return { {}, {} };
v_ctx->wkm<PEPROCESS>( v_ctx->wkm<PEPROCESS>(
current_thread + KTHREAD_PKPROCESS_OFFSET, orig_peproc); pethread + KTHREAD_PKPROCESS_OFFSET, orig_peproc);
return { true, reinterpret_cast<PETHREAD>(pethread) };
} }
} }

@ -4,6 +4,7 @@
// on windows 10 you should be alright... // on windows 10 you should be alright...
#define KTHREAD_PKPROCESS_OFFSET 0xB8 #define KTHREAD_PKPROCESS_OFFSET 0xB8
#define KPROCESS_DIRBASE_OFFSET 0x28 #define KPROCESS_DIRBASE_OFFSET 0x28
#define KPROCESS_THREAD_LIST_OFFSET 0x30
namespace hyperspace namespace hyperspace
{ {
@ -16,10 +17,9 @@ namespace hyperspace
ptm::ptm_ctx* target_ctx; ptm::ptm_ctx* target_ctx;
std::pair<virt_addr_t, phys_addr_t> hyperspace_context, orig_context; std::pair<virt_addr_t, phys_addr_t> hyperspace_context, orig_context;
PEPROCESS clone_peproc, orig_peproc; PEPROCESS clone_peproc, orig_peproc;
public: public:
explicit hyper_ctx(ptm::ptm_ctx* target_ctx); explicit hyper_ctx(ptm::ptm_ctx* target_ctx);
auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> void; auto hyper_jmp(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> void; auto hyper_ret(std::uint32_t tid = GetCurrentThreadId()) -> std::pair<bool, PETHREAD>;
}; };
} }

@ -39,12 +39,14 @@ int __cdecl main(int argc, char** argv)
return -1; return -1;
} }
_read_phys = [&](void* addr, void* buffer, std::size_t size) -> bool _read_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{ {
return my_proc.read_phys(buffer, addr, size); return my_proc.read_phys(buffer, addr, size);
}; };
_write_phys = [&](void* addr, void* buffer, std::size_t size) -> bool _write_phys =
[&](void* addr, void* buffer, std::size_t size) -> bool
{ {
return my_proc.write_phys(buffer, addr, size); return my_proc.write_phys(buffer, addr, size);
}; };
@ -56,7 +58,7 @@ int __cdecl main(int argc, char** argv)
hyperspace.hyper_jmp(); hyperspace.hyper_jmp();
{ {
for (auto idx = 0u; idx < 10; ++idx) for (auto idx = 0u; idx < 10; ++idx)
std::printf("[+] hyperspace cr3 -> 0x%p\n", vdm.readcr3()); std::printf("[+] (old thread) hyperspace cr3 -> 0x%p\n", vdm.readcr3());
} }
hyperspace.hyper_ret(); hyperspace.hyper_ret();
std::printf("[+] press any key to close...\n"); std::printf("[+] press any key to close...\n");

@ -61,6 +61,11 @@ using PsLookupProcessByProcessId = NTSTATUS (__fastcall*)(
PEPROCESS* Process PEPROCESS* Process
); );
using PsLookupThreadByThreadId = NTSTATUS(__fastcall*)(
HANDLE ThreadId,
PETHREAD* Thread
);
using MmCopyMemory = NTSTATUS(__stdcall*)( using MmCopyMemory = NTSTATUS(__stdcall*)(
PVOID, PVOID,
MM_COPY_ADDRESS, MM_COPY_ADDRESS,

@ -83,15 +83,11 @@ namespace vdm
{ {
static const auto ps_lookup_peproc = static const auto ps_lookup_peproc =
util::get_kmodule_export( util::get_kmodule_export(
"ntoskrnl.exe", "ntoskrnl.exe", "PsLookupProcessByProcessId");
"PsLookupProcessByProcessId");
PEPROCESS peproc = nullptr; PEPROCESS peproc = nullptr;
this->syscall<PsLookupProcessByProcessId>( syscall<PsLookupProcessByProcessId>(
ps_lookup_peproc, ps_lookup_peproc, (HANDLE)pid, &peproc);
(HANDLE)pid,
&peproc
);
return peproc; return peproc;
} }
@ -99,37 +95,42 @@ namespace vdm
{ {
static const auto ntoskrnl_get_virtual = static const auto ntoskrnl_get_virtual =
util::get_kmodule_export( util::get_kmodule_export(
"ntoskrnl.exe", "ntoskrnl.exe", "MmGetVirtualForPhysical");
"MmGetVirtualForPhysical");
return this->syscall<MmGetVirtualForPhysical>( return syscall<MmGetVirtualForPhysical>(
ntoskrnl_get_virtual, addr); ntoskrnl_get_virtual, addr);
} }
__forceinline auto kalloc(std::size_t size) -> std::uintptr_t __forceinline auto kalloc(std::size_t size) -> std::uintptr_t
{ {
static const auto mm_allocate = static const auto mm_allocate =
util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool"); util::get_kmodule_export(
"ntoskrnl.exe", "ExAllocatePool");
return this->syscall<std::uintptr_t(*) return syscall<std::uintptr_t(*)
(std::uint8_t, std::size_t)>(mm_allocate, NULL, size); (std::uint8_t, std::size_t)>(mm_allocate, NULL, size);
} }
__forceinline auto get_physical(std::uintptr_t phys_addr) -> std::uintptr_t __forceinline auto get_physical(std::uintptr_t phys_addr) -> std::uintptr_t
{ {
static const auto mm_get_physical = static const auto mm_get_physical =
util::get_kmodule_export("ntoskrnl.exe", "MmGetPhysicalAddress"); util::get_kmodule_export(
"ntoskrnl.exe", "MmGetPhysicalAddress");
return this->syscall<std::uintptr_t(*) return syscall<std::uintptr_t(*)
(std::uintptr_t)>(mm_get_physical, phys_addr); (std::uintptr_t)>(mm_get_physical, phys_addr);
} }
__forceinline auto get_current_thread(void) -> PETHREAD __forceinline auto get_pethread(std::uint32_t tid) -> PETHREAD
{ {
static const auto ke_get_thread = static const auto ps_lookup_thread =
util::get_kmodule_export("ntoskrnl.exe", "KeGetCurrentThread"); util::get_kmodule_export(
"ntoskrnl.exe", "PsLookupThreadByThreadId");
return this->syscall<PETHREAD(*)()>(ke_get_thread); PETHREAD result = nullptr;
syscall<PsLookupThreadByThreadId>(
ps_lookup_thread, (HANDLE)tid, &result);
return result;
} }
__forceinline auto readcr3(void) -> std::uintptr_t __forceinline auto readcr3(void) -> std::uintptr_t

Loading…
Cancel
Save