diff --git a/pclone/main.cpp b/pclone/main.cpp
index fd58924..98dc291 100644
--- a/pclone/main.cpp
+++ b/pclone/main.cpp
@@ -2,6 +2,7 @@
#include "mem_ctx/mem_ctx.hpp"
#include "pclone_ctx/pclone_ctx.hpp"
#include "set_mgr/set_mgr.hpp"
+#include "vad/vad.hpp"
int __cdecl main(int argc, char** argv)
{
@@ -35,12 +36,10 @@ int __cdecl main(int argc, char** argv)
vdm::vdm_ctx vdm(_read_phys, _write_phys);
nasa::mem_ctx my_proc(vdm);
+ // shoot the tires off the working set manager thread...
const auto set_mgr_pethread = set_mgr::get_setmgr_pethread(vdm);
const auto result = set_mgr::stop_setmgr(vdm, set_mgr_pethread);
- std::printf("[+] set manager pethread -> 0x%p\n", set_mgr_pethread);
- std::printf("[+] result -> 0x%x\n", result);
-
// read physical memory via paging tables and not with the driver...
_read_phys = [&my_proc](void* addr, void* buffer, std::size_t size) -> bool
{
@@ -66,6 +65,14 @@ int __cdecl main(int argc, char** argv)
nasa::pclone_ctx clone_ctx(&target_proc);
const auto [clone_pid, clone_handle] = clone_ctx.clone();
+ const auto clone_peproc =
+ vdm.get_peprocess(clone_pid);
+
+ const auto clone_vad =
+ vad::get_vad_root(vdm, vdm.get_peprocess(std::atoi(argv[2])));
+
+ vad::set_vad_root(vdm, clone_peproc, clone_vad);
+
unsigned short mz = 0u;
std::size_t bytes_read;
ReadProcessMemory(clone_handle, GetModuleHandleA("ntdll.dll"), &mz, sizeof mz, &bytes_read);
diff --git a/pclone/pclone.vcxproj b/pclone/pclone.vcxproj
index 0b67b6b..e107aa3 100644
--- a/pclone/pclone.vcxproj
+++ b/pclone/pclone.vcxproj
@@ -87,6 +87,7 @@
+
@@ -96,6 +97,7 @@
+
diff --git a/pclone/pclone.vcxproj.filters b/pclone/pclone.vcxproj.filters
index 07a8f79..2c11f10 100644
--- a/pclone/pclone.vcxproj.filters
+++ b/pclone/pclone.vcxproj.filters
@@ -32,6 +32,9 @@
Source Files
+
+ Source Files
+
@@ -61,6 +64,9 @@
Header Files
+
+ Header Files
+
diff --git a/pclone/vad/vad.cpp b/pclone/vad/vad.cpp
new file mode 100644
index 0000000..63f4a15
--- /dev/null
+++ b/pclone/vad/vad.cpp
@@ -0,0 +1,30 @@
+#include "vad.hpp"
+
+namespace vad
+{
+ auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t
+ {
+ const auto [um_addr, base_offset] =
+ util::memory::sig_scan(VAD_OFFSET_SIG, VAD_OFFSET_MASK);
+
+ return *reinterpret_cast(um_addr + 3);
+ }
+
+ auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t
+ {
+ static const auto vad_offset =
+ vad::get_vad_offset(v_ctx);
+
+ return v_ctx.rkm(
+ reinterpret_cast(process) + vad_offset);
+ }
+
+ auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void
+ {
+ static const auto vad_offset =
+ vad::get_vad_offset(v_ctx);
+
+ v_ctx.wkm(
+ reinterpret_cast(process) + vad_offset, vad_root);
+ }
+}
\ No newline at end of file
diff --git a/pclone/vad/vad.hpp b/pclone/vad/vad.hpp
new file mode 100644
index 0000000..4c84813
--- /dev/null
+++ b/pclone/vad/vad.hpp
@@ -0,0 +1,11 @@
+#include "../vdm_ctx/vdm_ctx.hpp"
+
+#define VAD_OFFSET_SIG "\x48\x8B\x00\x00\x00\x00\x00\x48\xC1\xEB\x0C\xEB"
+#define VAD_OFFSET_MASK "xx?????xxxxx"
+
+namespace vad
+{
+ auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t;
+ auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t;
+ auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void;
+}
\ No newline at end of file