From e0f0f1c09aeb54c99379eb87f804b5ae738ab579 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 11:58:55 +0000 Subject: [PATCH 01/11] Add new file --- demo/README.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 demo/README.md diff --git a/demo/README.md b/demo/README.md new file mode 100644 index 0000000..6a9c4d3 --- /dev/null +++ b/demo/README.md @@ -0,0 +1,3 @@ +# Demo + +simply open a console as admin, run "physmeme.exe hello-world.sys" and you should see a DbgPrint inside of dbgview. \ No newline at end of file From 74b9811b49e5240e36a037b0cd809fd645df1a28 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 12:14:19 +0000 Subject: [PATCH 02/11] Update main.cpp --- physmeme/main.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/physmeme/main.cpp b/physmeme/main.cpp index fa1dde4..9cf0125 100644 --- a/physmeme/main.cpp +++ b/physmeme/main.cpp @@ -11,7 +11,7 @@ */ int __cdecl main(int argc, char** argv) { - if (argc < 1) + if (argc < 2) { std::cout << "[-] invalid use, please provide a path to a driver" << std::endl; return -1; From 65f030278a19d22a337c027e1d89d743a202d4c8 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 21:34:01 +0000 Subject: [PATCH 03/11] Update README.md --- README.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index e9ab5a9..cd301eb 100644 --- a/README.md +++ b/README.md @@ -28,23 +28,19 @@ If you are in any sort of doubt about the abundance of these drivers simply go t ### How does this exploit work? -First lets start with a given, controlled writes can be leveraged to gain execution. I think people call this "write what where", but nevertheless if you -know where you are writing you can leverage it to gain execution in places that might not have been accessable proir. Now that we have that agreed upon, lets get into the details of how this works. +Since we are able to read/write to any physical memory on the system the goal is to find the physical page of a syscall and map it into our system. This can be done by +calculating the offset into the page in which the syscall resides. Doing so is trival and only requires the modulus operation. -To start, lets first understand that one page of memory reguardless of physical or virtual is typically 0x1000 bytes or 4096 bytes. Now, given a relative virtual address of a syscall -(an address relative to the base of the module) we can modulus the address with the size of a page (0x1000) and get the index into the page. - -``` -auto nt_syscall_offset = rva % 0x1000; +```cpp +auto syscall_page_offet = rva % 0x1000; ``` -This index, combined with the iteraction of each physical page and a comparison of bytes will result in us finding the physical page of a syscall (and its mapped into our process). -This then allows us the ability to install hooks, call the syscall, and then uninstall the hook. The "hook" being `ExAllocatePool`, `ExAllocatePoolWithTag`, and `MmCopyMemory`. +Now that we know that the syscalls bytes are going to be that far into the physical page we can map each physical page into our process 512 at a time (2mb) and then +check the page + page_offset and compare with the syscalls bytes. After we have the syscalls page mapped into our process we can pretty much call any function inside +of the kernel simply by installing an inline hook into that mapped page and then calling into the syscall. This is what kdmapper does. -This scanning takes under a second since each physical range is scanned with a seperate thread. To increase speeds i also map 2mb at a time and scan each page (512 pages). - # How to use There are four functions that need to be altered to make this mapper work for you. I will cover each one by one. These functions are defined inside of a `physmeme.hpp` and need From df294a23d03437b42a5d462903c99ad24d4a23c8 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 21:47:42 +0000 Subject: [PATCH 04/11] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index cd301eb..907d5ec 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,7 @@ If you are in any sort of doubt about the abundance of these drivers simply go t ### How does this exploit work? -Since we are able to read/write to any physical memory on the system the goal is to find the physical page of a syscall and map it into our system. This can be done by -calculating the offset into the page in which the syscall resides. Doing so is trival and only requires the modulus operation. +Since we are able to read/write to any physical memory on the system the goal is to find the physical page of a syscall and map it into our system. This can be done by calculating the offset into the page in which the syscall resides. Doing so is trivial and only requires the modulus operation. ```cpp auto syscall_page_offet = rva % 0x1000; From c3561ccbe77d910569da8382cb43b8b32c07033a Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 21:48:09 +0000 Subject: [PATCH 05/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 907d5ec..ec76d65 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Before I begin, those who helped me create this project shall be credited. - Can1357, for helping me find the correct page in physical memory. -- buck, for teaching me everything about paging tables. +- buck, for teaching me everything about paging tables. (although not used in this project) - Ch40zz, for helping me fix many issues in things I could never have fixed. - wlan, I used your drv_image class :) From 6527f71209dce5adcfeaf6bd6332713ebfe73462 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 22:26:52 +0000 Subject: [PATCH 06/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ec76d65..2691c50 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ If you are in any sort of doubt about the abundance of these drivers simply go t ### How does this exploit work? -Since we are able to read/write to any physical memory on the system the goal is to find the physical page of a syscall and map it into our system. This can be done by calculating the offset into the page in which the syscall resides. Doing so is trivial and only requires the modulus operation. +Since we are able to read/write to any physical memory on the system the goal is to find the physical page of a syscall and map it into our process. This can be done by calculating the offset into the page in which the syscall resides. Doing so is trivial and only requires the modulus operation. ```cpp auto syscall_page_offet = rva % 0x1000; From a7e3f4667f5478f48a7ec863cdc788f0da7578cb Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 22:28:23 +0000 Subject: [PATCH 07/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2691c50..fabc521 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ auto syscall_page_offet = rva % 0x1000; Now that we know that the syscalls bytes are going to be that far into the physical page we can map each physical page into our process 512 at a time (2mb) and then check the page + page_offset and compare with the syscalls bytes. After we have the syscalls page mapped into our process we can pretty much call any function inside -of the kernel simply by installing an inline hook into that mapped page and then calling into the syscall. This is what kdmapper does. +of the kernel simply by installing an inline hook into that mapped page and then calling into the syscall. From 12a2857adb1130cc5052880f157784729c5c07c3 Mon Sep 17 00:00:00 2001 From: xerox Date: Sun, 19 Apr 2020 23:45:21 +0000 Subject: [PATCH 08/11] Update README.md --- demo/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/demo/README.md b/demo/README.md index 6a9c4d3..0f86cf3 100644 --- a/demo/README.md +++ b/demo/README.md @@ -1,3 +1,7 @@ # Demo -simply open a console as admin, run "physmeme.exe hello-world.sys" and you should see a DbgPrint inside of dbgview. \ No newline at end of file +simply open a console as admin, run "physmeme.exe hello-world.sys" and you should see a DbgPrint inside of dbgview. + +- pmdll64.dll is part of a supermicro bios flashing utility +- physmem64.sys is part of a supermicro bios flashing utility +- hello-world.sys just prints the base address and size of the driver :) \ No newline at end of file From a73298befff3c53ce0571a5add0fc7b6a2e746a2 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 20 Apr 2020 00:28:36 +0000 Subject: [PATCH 09/11] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fabc521..066b566 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,10 @@ of the kernel simply by installing an inline hook into that mapped page and then +### How long does it take to find the physical page? + +Less then one second. For each physical memory range I create a thread that maps 2mb at a time of physical memory and scans each physical page. This is on a systemw with 16gb. + # How to use There are four functions that need to be altered to make this mapper work for you. I will cover each one by one. These functions are defined inside of a `physmeme.hpp` and need From a47db7e8921b3d28ec0378420c137ab75bb5ee87 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 20 Apr 2020 00:29:40 +0000 Subject: [PATCH 10/11] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 066b566..422760b 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,9 @@ of the kernel simply by installing an inline hook into that mapped page and then ### How long does it take to find the physical page? -Less then one second. For each physical memory range I create a thread that maps 2mb at a time of physical memory and scans each physical page. This is on a systemw with 16gb. +Less then one second. For each physical memory range I create a thread that maps 2mb at a time of physical memory and scans each physical page. This is on a system with 16gb. + +In other words... its very fast, you wont need to worry about waiting to find the correct page. # How to use From 1cf14f4ca649562ebd1549a66f5d2f132dc23797 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 20 Apr 2020 00:30:11 +0000 Subject: [PATCH 11/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 422760b..5fd6d91 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Before I begin, those who helped me create this project shall be credited. # Physmeme -Given map/unmap (read/write) of physical memory, one can now systematically map unsigned code into ones kernel. +Given ANY map/unmap (read/write) of physical memory, one can now systematically map unsigned code into ones kernel. Many drivers expose this primitive and now can all be exploited by simply coding a few functions. ### What versions of windows does this mapper support?