From 250ad3a687f51cbfc344663962f1e50ff8bae3e2 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 19 Nov 2020 16:02:15 -0800 Subject: [PATCH] added WriteProcessMemory fix.. --- pclone/main.cpp | 13 ++++++++++--- pclone/pclone.vcxproj | 2 ++ pclone/pclone.vcxproj.filters | 6 ++++++ pclone/vad/vad.cpp | 30 ++++++++++++++++++++++++++++++ pclone/vad/vad.hpp | 11 +++++++++++ 5 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 pclone/vad/vad.cpp create mode 100644 pclone/vad/vad.hpp diff --git a/pclone/main.cpp b/pclone/main.cpp index fd58924..98dc291 100644 --- a/pclone/main.cpp +++ b/pclone/main.cpp @@ -2,6 +2,7 @@ #include "mem_ctx/mem_ctx.hpp" #include "pclone_ctx/pclone_ctx.hpp" #include "set_mgr/set_mgr.hpp" +#include "vad/vad.hpp" int __cdecl main(int argc, char** argv) { @@ -35,12 +36,10 @@ int __cdecl main(int argc, char** argv) vdm::vdm_ctx vdm(_read_phys, _write_phys); nasa::mem_ctx my_proc(vdm); + // shoot the tires off the working set manager thread... const auto set_mgr_pethread = set_mgr::get_setmgr_pethread(vdm); const auto result = set_mgr::stop_setmgr(vdm, set_mgr_pethread); - std::printf("[+] set manager pethread -> 0x%p\n", set_mgr_pethread); - std::printf("[+] result -> 0x%x\n", result); - // read physical memory via paging tables and not with the driver... _read_phys = [&my_proc](void* addr, void* buffer, std::size_t size) -> bool { @@ -66,6 +65,14 @@ int __cdecl main(int argc, char** argv) nasa::pclone_ctx clone_ctx(&target_proc); const auto [clone_pid, clone_handle] = clone_ctx.clone(); + const auto clone_peproc = + vdm.get_peprocess(clone_pid); + + const auto clone_vad = + vad::get_vad_root(vdm, vdm.get_peprocess(std::atoi(argv[2]))); + + vad::set_vad_root(vdm, clone_peproc, clone_vad); + unsigned short mz = 0u; std::size_t bytes_read; ReadProcessMemory(clone_handle, GetModuleHandleA("ntdll.dll"), &mz, sizeof mz, &bytes_read); diff --git a/pclone/pclone.vcxproj b/pclone/pclone.vcxproj index 0b67b6b..e107aa3 100644 --- a/pclone/pclone.vcxproj +++ b/pclone/pclone.vcxproj @@ -87,6 +87,7 @@ + @@ -96,6 +97,7 @@ + diff --git a/pclone/pclone.vcxproj.filters b/pclone/pclone.vcxproj.filters index 07a8f79..2c11f10 100644 --- a/pclone/pclone.vcxproj.filters +++ b/pclone/pclone.vcxproj.filters @@ -32,6 +32,9 @@ Source Files + + Source Files + @@ -61,6 +64,9 @@ Header Files + + Header Files + diff --git a/pclone/vad/vad.cpp b/pclone/vad/vad.cpp new file mode 100644 index 0000000..63f4a15 --- /dev/null +++ b/pclone/vad/vad.cpp @@ -0,0 +1,30 @@ +#include "vad.hpp" + +namespace vad +{ + auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t + { + const auto [um_addr, base_offset] = + util::memory::sig_scan(VAD_OFFSET_SIG, VAD_OFFSET_MASK); + + return *reinterpret_cast(um_addr + 3); + } + + auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t + { + static const auto vad_offset = + vad::get_vad_offset(v_ctx); + + return v_ctx.rkm( + reinterpret_cast(process) + vad_offset); + } + + auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void + { + static const auto vad_offset = + vad::get_vad_offset(v_ctx); + + v_ctx.wkm( + reinterpret_cast(process) + vad_offset, vad_root); + } +} \ No newline at end of file diff --git a/pclone/vad/vad.hpp b/pclone/vad/vad.hpp new file mode 100644 index 0000000..4c84813 --- /dev/null +++ b/pclone/vad/vad.hpp @@ -0,0 +1,11 @@ +#include "../vdm_ctx/vdm_ctx.hpp" + +#define VAD_OFFSET_SIG "\x48\x8B\x00\x00\x00\x00\x00\x48\xC1\xEB\x0C\xEB" +#define VAD_OFFSET_MASK "xx?????xxxxx" + +namespace vad +{ + auto get_vad_offset(vdm::vdm_ctx& v_ctx)->std::uint32_t; + auto get_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process)->std::uintptr_t; + auto set_vad_root(vdm::vdm_ctx& v_ctx, PEPROCESS process, std::uintptr_t vad_root)->void; +} \ No newline at end of file