VAD Unlink test, currently not working as expected

4 files changed, 146 insertions, 10 deletions

diff --git a/KMemDriver/KMemDriver.c b/KMemDriver/KMemDriver.c
index 8d63e74..39b0cca 100644
--- a/KMemDriver/KMemDriver.c
+++ b/KMemDriver/KMemDriver.c
@@ -116,6 +116,10 @@ NTSTATUS VADProtect(
 	IN ULONG_PTR address,
 	IN ULONG prot
 );
+NTSTATUS VADUnlink(
+	IN PEPROCESS pProcess,
+	IN ULONG_PTR address
+);
 PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(
 	PVOID pHandleTable,
 	HANDLE handle
@@ -140,6 +144,7 @@ PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(
 #pragma alloc_text(PAGE, VADFindNodeOrParent)
 #pragma alloc_text(PAGE, VADFind)
 #pragma alloc_text(PAGE, VADProtect)
+#pragma alloc_text(PAGE, VADUnlink)
 #pragma alloc_text(PAGE, ExpLookupHandleTableEntry)
 
 static void fn_zero_text(PVOID fn_start);
@@ -654,7 +659,7 @@ NTSTATUS UpdatePPEPIfRequired(
 				KDBG("ObOpenObjectByPointer failed with 0x%X\n", status);
 			}
 			else {
-#if 0
+#if 1
 				PEPROCESS pep = *lastPEP;
 				PVOID addr = NULL;
 				SIZE_T size = 1024;
@@ -666,12 +671,20 @@ NTSTATUS UpdatePPEPIfRequired(
 				PMMVAD_SHORT mmvad;
 				status = VADFind(pep, (ULONG_PTR)addr, &mmvad);
 				KDBG("VAD Test.......: 0x%p -> 0x%p (status: 0x%X)\n", addr, mmvad->StartingVpn, status);
-
+#if 1
+				status = VADUnlink(pep, (ULONG_PTR)addr);
+				if (!NT_SUCCESS(status))
+				{
+					KDBG("VAD Unlink failed: 0x%p (status: 0x%X)\n", addr, status);
+					status = STATUS_SUCCESS;
+				}
+#else
 				if (!NT_SUCCESS(FreeMemoryFromProcess(*lastPEP, addr, size)))
 				{
 					KDBG("VAD Test Free failed: 0x%p (status: 0x%X)\n", addr, status);
 				}
 #endif
+#endif
 #if 0
 				PMM_AVL_TABLE avltable = (PMM_AVL_TABLE)((ULONG_PTR *)pep + VAD_TREE_1803);
 				KDBG("VAD-ROOT.....: 0x%p\n", GET_VAD_ROOT(avltable));
diff --git a/KMemDriver/Memory.c b/KMemDriver/Memory.c
index 2aacf06..d829413 100644
--- a/KMemDriver/Memory.c
+++ b/KMemDriver/Memory.c
@@ -41,10 +41,11 @@ NTSTATUS GetPages(
 			break;
 		}
 		else {
-			for (i = 0; i < mbiLength; ++i)
-				KDBG("Page #%03u: base -> 0x%p, prot -> 0x%02X, size -> 0x%X\n",
-				(*mbiUsed) + i, (*(mbiArr + i)).BaseAddress, (*(mbiArr + i)).Protect,
-					(*(mbiArr + i)).RegionSize);
+			for (i = 0; i < mbiLength; ++i) {
+				//KDBG("Page #%03u: base -> 0x%p, prot -> 0x%02X, size -> 0x%X\n",
+				//     (*mbiUsed) + i, (*(mbiArr + i)).BaseAddress, (*(mbiArr + i)).Protect,
+				//     (*(mbiArr + i)).RegionSize);
+			}
 		}
 		baseAddr += (SIZE_T)(mbiArr + mbiLength - 1)->RegionSize;
 		*mbiUsed += mbiLength;
@@ -113,8 +114,8 @@ NTSTATUS GetModules(
 			}
 			pmod->DllBase = (PVOID)ldrEntry32->DllBase;
 			pmod->SizeOfImage = ldrEntry32->SizeOfImage;
-			KDBG("DLL32 #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
-				pmod->DllBase, pmod->SizeOfImage, pmod->BaseDllName);
+			//KDBG("DLL32 #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
+			//     pmod->DllBase, pmod->SizeOfImage, pmod->BaseDllName);
 		}
 	}
 	else {
@@ -161,8 +162,8 @@ NTSTATUS GetModules(
 			}
 			pmod->DllBase = ldrEntry->DllBase;
 			pmod->SizeOfImage = ldrEntry->SizeOfImage;
-			KDBG("DLL #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
-				pmod->DllBase, pmod->SizeOfImage, pmod->BaseDllName);
+			//KDBG("DLL #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
+			//     pmod->DllBase, pmod->SizeOfImage, pmod->BaseDllName);
 		}
 	}
 
diff --git a/KMemDriver/Native.h b/KMemDriver/Native.h
index 326940e..6d7d684 100644
--- a/KMemDriver/Native.h
+++ b/KMemDriver/Native.h
@@ -224,6 +224,91 @@ typedef struct _MMVAD_SHORT // Size=64
 	struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56
 } MMVAD_SHORT, *PMMVAD_SHORT;
 
+struct _MMVAD_FLAGS2 // Size=4
+{
+	unsigned long FileOffset : 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
+	unsigned long Large : 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
+	unsigned long TrimBehind : 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
+	unsigned long Inherit : 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
+	unsigned long CopyOnWrite : 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
+	unsigned long NoValidationNeeded : 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
+	unsigned long Spare : 3; // Size=4 Offset=0 BitOffset=29 BitCount=3
+};
+
+struct _MI_VAD_SEQUENTIAL_INFO // Size=8
+{
+	unsigned __int64 Length : 12; // Size=8 Offset=0 BitOffset=0 BitCount=12
+	unsigned __int64 Vpn : 52; // Size=8 Offset=0 BitOffset=12 BitCount=52
+};
+
+union ___unnamed2047 // Size=4
+{
+	unsigned long LongFlags2; // Size=4 Offset=0
+	struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
+};
+
+union ___unnamed2048 // Size=8
+{
+	struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0
+	struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
+};
+
+typedef union _EX_FAST_REF // Size=8
+{
+	void * Object;
+	struct
+	{
+		unsigned __int64 RefCnt : 4;
+	};
+	unsigned __int64 Value;
+} EX_FAST_REF, *PEX_FAST_REF;
+
+typedef struct _CONTROL_AREA // Size=120
+{
+	struct _SEGMENT * Segment;
+	struct _LIST_ENTRY ListHead;
+	unsigned __int64 NumberOfSectionReferences;
+	unsigned __int64 NumberOfPfnReferences;
+	unsigned __int64 NumberOfMappedViews;
+	unsigned __int64 NumberOfUserReferences;
+	unsigned long f1;
+	unsigned long f2;
+	EX_FAST_REF FilePointer;
+	// Other fields
+} CONTROL_AREA, *PCONTROL_AREA;
+
+typedef struct _SUBSECTION // Size=56
+{
+	PCONTROL_AREA ControlArea;
+	// Other fields
+} SUBSECTION, *PSUBSECTION;
+
+typedef struct _MMVAD // Size=128
+{
+	struct _MMVAD_SHORT Core; // Size=64 Offset=0
+	union ___unnamed2047 u2; // Size=4 Offset=64
+	unsigned long pad0;  // Size=4 Offset=68
+	struct _SUBSECTION * Subsection; // Size=8 Offset=72
+	struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
+	struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
+	struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
+	struct _EPROCESS * VadsProcess; // Size=8 Offset=112
+	union ___unnamed2048 u4; // Size=8 Offset=120
+	struct _FILE_OBJECT * FileObject; // Size=8 Offset=128
+} MMVAD, *PMMVAD;
+
+typedef enum _MI_VAD_TYPE
+{
+	VadNone,
+	VadDevicePhysicalMemory,
+	VadImageMap,
+	VadAwe,
+	VadWriteWatch,
+	VadLargePages,
+	VadRotatePhysical,
+	VadLargePageSection
+} MI_VAD_TYPE, *PMI_VAD_TYPE;
+
 typedef struct _RTL_AVL_TREE // Size=8
 {
 	PMM_AVL_NODE BalancedRoot;
diff --git a/KMemDriver/VAD.c b/KMemDriver/VAD.c
index 94c7397..7c3e9d6 100644
--- a/KMemDriver/VAD.c
+++ b/KMemDriver/VAD.c
@@ -5,6 +5,9 @@
 #include <ntddk.h>
 #include <Ntstrsafe.h>
 
+#define MM_ZERO_ACCESS         0
+
+
 TABLE_SEARCH_RESULT
 VADFindNodeOrParent(
 	IN PMM_AVL_TABLE Table,
@@ -130,4 +133,38 @@ NTSTATUS VADProtect(
 		pVadShort->u.VadFlags.Protection = prot;
 
 	return status;
+}
+
+NTSTATUS VADUnlink(IN PEPROCESS pProcess, IN ULONG_PTR address)
+{
+	NTSTATUS status = STATUS_SUCCESS;
+	PMMVAD_SHORT pVadShort = NULL;
+
+	status = VADFind(pProcess, address, &pVadShort);
+	if (!NT_SUCCESS(status))
+		return status;
+
+	// Erase image name
+	if (pVadShort->u.VadFlags.VadType == VadImageMap)
+	{
+		PMMVAD pVadLong = (PMMVAD)pVadShort;
+		if (pVadLong->Subsection && pVadLong->Subsection->ControlArea && pVadLong->Subsection->ControlArea->FilePointer.Object)
+		{
+			PFILE_OBJECT pFile = (PFILE_OBJECT)(pVadLong->Subsection->ControlArea->FilePointer.Value & ~0xF);
+			pFile->FileName.Buffer[0] = L'\0';
+			pFile->FileName.Length = 0;
+		}
+		else
+			return STATUS_INVALID_ADDRESS;
+	}
+	// Make NO_ACCESS
+	else if (pVadShort->u.VadFlags.VadType == VadDevicePhysicalMemory)
+	{
+		pVadShort->u.VadFlags.Protection = MM_ZERO_ACCESS;
+	}
+	// Invalid VAD type
+	else
+		status = STATUS_INVALID_PARAMETER;
+
+	return status;
 }
\ No newline at end of file