diff --git a/demo/physmeme.exe b/demo/physmeme.exe index 924a32b..35419a7 100644 Binary files a/demo/physmeme.exe and b/demo/physmeme.exe differ diff --git a/physmeme/kernel_ctx/kernel_ctx.cpp b/physmeme/kernel_ctx/kernel_ctx.cpp index 008d375..1ff6a03 100644 --- a/physmeme/kernel_ctx/kernel_ctx.cpp +++ b/physmeme/kernel_ctx/kernel_ctx.cpp @@ -190,4 +190,24 @@ namespace physmeme &amount_copied ); } + + /* + Author: xerox + Date: 4/19/2020 + + zero driver header + */ + void kernel_ctx::zero_kernel_memory(std::uintptr_t addr, std::size_t size) + { + static const auto rtl_zero_memory = + util::get_module_export( + "ntoskrnl.exe", + "RtlZeroMemory" + ); + syscall( + rtl_zero_memory, + reinterpret_cast(addr), + size + ); + } } \ No newline at end of file diff --git a/physmeme/kernel_ctx/kernel_ctx.h b/physmeme/kernel_ctx/kernel_ctx.h index 16ee891..5396459 100644 --- a/physmeme/kernel_ctx/kernel_ctx.h +++ b/physmeme/kernel_ctx/kernel_ctx.h @@ -33,6 +33,8 @@ namespace physmeme void read_kernel(std::uintptr_t addr, void* buffer, std::size_t size); void write_kernel(std::uintptr_t addr, void* buffer, std::size_t size); + void zero_kernel_memory(std::uintptr_t addr, std::size_t size); + template T read_kernel(std::uintptr_t addr) { diff --git a/physmeme/main.cpp b/physmeme/main.cpp index fa1dde4..e984925 100644 --- a/physmeme/main.cpp +++ b/physmeme/main.cpp @@ -59,15 +59,27 @@ int __cdecl main(int argc, char** argv) ctx.write_kernel(pool_base, image.data(), image.size()); // - // call driver entry and pass in base address and size of the driver. + // driver entry params // auto entry_point = pool_base + image.entry_point(); auto size = image.size(); + // + // call driver entry + // auto result = ctx.syscall(reinterpret_cast(entry_point), pool_base, image.size()); std::cout << "[+] driver entry returned: " << std::hex << result << std::endl; - physmeme::unload_drv(); + // + // zero header of driver + // + ctx.zero_kernel_memory(pool_base, image.header_size()); + std::cout << "[+] zero'ed driver's pe header" << std::endl; + + // + // close and unload vuln drivers + // std::cout << "[=] press enter to close" << std::endl; + physmeme::unload_drv(); std::cin.get(); } \ No newline at end of file diff --git a/physmeme/physmeme/physmeme.hpp b/physmeme/physmeme/physmeme.hpp index 9b80ce4..31f284a 100644 --- a/physmeme/physmeme/physmeme.hpp +++ b/physmeme/physmeme/physmeme.hpp @@ -21,7 +21,7 @@ namespace physmeme // Author: Remy Lebeau // taken from here: https://stackoverflow.com/questions/48485364/read-reg-resource-list-memory-values-incorrect-value static const auto init_ranges = ([&]() -> bool - { + { HKEY h_key; DWORD type, size; LPBYTE data; @@ -39,7 +39,7 @@ namespace physmeme delete[] data; RegCloseKey(h_key); return true; - })(); + })(); /* please code this function depending on your method of physical read/write. diff --git a/physmeme/util/nt.hpp b/physmeme/util/nt.hpp index f671e6a..4e8012a 100644 --- a/physmeme/util/nt.hpp +++ b/physmeme/util/nt.hpp @@ -89,5 +89,5 @@ typedef struct _MM_COPY_ADDRESS { using ExAllocatePool = PVOID(__stdcall*) (POOL_TYPE, SIZE_T); using ExAllocatePoolWithTag = PVOID(__stdcall*)(POOL_TYPE, SIZE_T, ULONG); -using MmCopyMemory = NTSTATUS (__fastcall*)(PVOID, MM_COPY_ADDRESS,SIZE_T,ULONG,PSIZE_T); +using MmCopyMemory = NTSTATUS (__stdcall*)(PVOID, MM_COPY_ADDRESS,SIZE_T,ULONG,PSIZE_T); using DRIVER_INITIALIZE = NTSTATUS(__stdcall*)(std::uintptr_t, std::size_t); \ No newline at end of file