From aa2c57feed8087d28d8886fa844ecb72bf08d7e0 Mon Sep 17 00:00:00 2001 From: xerox Date: Wed, 16 Sep 2020 21:35:08 +0000 Subject: [PATCH] Update README.md --- README.md | 100 ------------------------------------------------------ 1 file changed, 100 deletions(-) diff --git a/README.md b/README.md index fba7cae..6eaf04c 100644 --- a/README.md +++ b/README.md @@ -11,14 +11,6 @@ Before I begin, those who helped me create this project shall be credited. Given ANY map/unmap (read/write) of physical memory, one can now systematically map unsigned code into ones kernel. Many drivers expose this primitive and now can all be exploited by simply coding a few functions. -# WARNING - -All anti virus softwares must be disabled/uninstalled avast specically... they hook the system service dispatch table with their HV and prevent physmeme from working... - -### What versions of windows does this mapper support? - -This mapper should work without any issues for pretty much all versions of relevant windows. Tested on windows 10 (1803-1909), but should support all the way back to vista. - ### What drivers support physical read/write? Any driver exposing MmMapIoSpace/MmUnmapIoSpace or ZwMapViewOfSection/ZwUnmapViewOfSection can be exploited. This means bios flashing utils, fan speed utils @@ -46,98 +38,6 @@ Less then one second. For each physical memory range I create a thread that maps In other words... its very fast, you wont need to worry about waiting to find the correct page. -# How to use - -There are four functions that need to be altered to make this mapper work for you. I will cover each one by one. These functions are defined inside of a `physmeme.hpp` and need -to stay inside of this file. This allows people to make different `physmeme.hpp` files for each driver they want to abuse. Modular code. - -When writing your driver you will need a custom entry point just like every other driver mapper. - -### `HANDLE load_drv()` -Load driver must take zero parameters and return a handle to the driver. Here is an example of this: - -```cpp -/* - please code this function depending on your method of physical read/write. -*/ -HANDLE load_drv() -{ - static const auto load_driver_ptr = - reinterpret_cast<__int64(*)()>( - GetProcAddress(LoadLibrary("pmdll64.dll"), "LoadPhyMemDriver")); - - if (load_driver_ptr) - load_driver_ptr(); - - //--- i dont ever use this handle, its just an example of what you should do. - return CreateFileA("\\\\.\\PhyMem", 0xC0000000, 3u, 0i64, 3u, 0x80u, 0i64); -} -``` - -note: my exploited driver actually came with a dll that exported all the functions. - -### `bool unload_drv()` -Unload driver can and should return a bool but its not needed. There is also no need to pass any parameters since the driver handle is global. - -```cpp -/* - please code this function depending on your method of physical read/write. -*/ -bool unload_drv() -{ - static const auto unload_driver_ptr = - reinterpret_cast<__int64(*)()>( - GetProcAddress(LoadLibrary("pmdll64.dll"), "UnloadPhyMemDriver")); - return unload_driver_ptr ? unload_driver_ptr() : false; -} -``` - -### `std::uintptr_t map_phys(std::uintptr_t addr, std::size_t size)` - -This function MUST take two parameters the first is the physical address to be mapped, the second is the size to be mapped. The return -value is the virtual address of the mapping. - -```cpp -/* - please code this function depending on your method of physical read/write. -*/ -std::uintptr_t map_phys( - std::uintptr_t addr, - std::size_t size -) -{ - //--- ensure the validity of the address we are going to try and map - if (!is_valid(addr)) - return NULL; - - static const auto map_phys_ptr = - reinterpret_cast<__int64(__fastcall*)(__int64, unsigned)>( - GetProcAddress(LoadLibrary("pmdll64.dll"), "MapPhyMem")); - return map_phys_ptr ? map_phys_ptr(addr, size) : false; -} -``` - -### `bool unmap_phys(std::uintptr_t addr, std::size_t size)` - -This function must take the virtual address of the mapping (the address returned from map_phys) and the size that was mapped. If this function is unable to free the memory -you will blue screen because you will run out of ram (happend a few times to me). - -```cpp -/* - please code this function depending on your method of physical read/write. -*/ -bool unmap_phys( - std::uintptr_t addr, - std::size_t size -) -{ - static const auto unmap_phys_ptr = - reinterpret_cast<__int64(*)(__int64, unsigned)>( - GetProcAddress(LoadLibrary("pmdll64.dll"), "UnmapPhyMem")); - return unmap_phys_ptr ? unmap_phys_ptr(addr, size) : false; -} -``` - # DriverEntry you can change the paremeters you pass to driver entry simply by changing this: