V1.1 added support to zero driver's pe header.

merge-requests/1/head
xerox 4 years ago
parent 5d8fb3f10d
commit 8404b66d39

Binary file not shown.

@ -190,4 +190,24 @@ namespace physmeme
&amount_copied
);
}
/*
Author: xerox
Date: 4/19/2020
zero driver header
*/
void kernel_ctx::zero_kernel_memory(std::uintptr_t addr, std::size_t size)
{
static const auto rtl_zero_memory =
util::get_module_export(
"ntoskrnl.exe",
"RtlZeroMemory"
);
syscall<decltype(&RtlSecureZeroMemory)>(
rtl_zero_memory,
reinterpret_cast<void*>(addr),
size
);
}
}

@ -33,6 +33,8 @@ namespace physmeme
void read_kernel(std::uintptr_t addr, void* buffer, std::size_t size);
void write_kernel(std::uintptr_t addr, void* buffer, std::size_t size);
void zero_kernel_memory(std::uintptr_t addr, std::size_t size);
template <class T>
T read_kernel(std::uintptr_t addr)
{

@ -59,15 +59,27 @@ int __cdecl main(int argc, char** argv)
ctx.write_kernel(pool_base, image.data(), image.size());
//
// call driver entry and pass in base address and size of the driver.
// driver entry params
//
auto entry_point = pool_base + image.entry_point();
auto size = image.size();
//
// call driver entry
//
auto result = ctx.syscall<DRIVER_INITIALIZE>(reinterpret_cast<void*>(entry_point), pool_base, image.size());
std::cout << "[+] driver entry returned: " << std::hex << result << std::endl;
physmeme::unload_drv();
//
// zero header of driver
//
ctx.zero_kernel_memory(pool_base, image.header_size());
std::cout << "[+] zero'ed driver's pe header" << std::endl;
//
// close and unload vuln drivers
//
std::cout << "[=] press enter to close" << std::endl;
physmeme::unload_drv();
std::cin.get();
}

@ -21,7 +21,7 @@ namespace physmeme
// Author: Remy Lebeau
// taken from here: https://stackoverflow.com/questions/48485364/read-reg-resource-list-memory-values-incorrect-value
static const auto init_ranges = ([&]() -> bool
{
{
HKEY h_key;
DWORD type, size;
LPBYTE data;
@ -39,7 +39,7 @@ namespace physmeme
delete[] data;
RegCloseKey(h_key);
return true;
})();
})();
/*
please code this function depending on your method of physical read/write.

@ -89,5 +89,5 @@ typedef struct _MM_COPY_ADDRESS {
using ExAllocatePool = PVOID(__stdcall*) (POOL_TYPE, SIZE_T);
using ExAllocatePoolWithTag = PVOID(__stdcall*)(POOL_TYPE, SIZE_T, ULONG);
using MmCopyMemory = NTSTATUS (__fastcall*)(PVOID, MM_COPY_ADDRESS,SIZE_T,ULONG,PSIZE_T);
using MmCopyMemory = NTSTATUS (__stdcall*)(PVOID, MM_COPY_ADDRESS,SIZE_T,ULONG,PSIZE_T);
using DRIVER_INITIALIZE = NTSTATUS(__stdcall*)(std::uintptr_t, std::size_t);
Loading…
Cancel
Save