exported KMemDriver virt mem related functions to an extra module

author: Toni Uhlig <matzeton@googlemail.com> 2019-08-20 23:45:20 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2019-08-20 23:45:20 +0200
commit: a3e36262204cc39ff1998cacbe4ceb35b9b073b5 (patch)
tree: f5223db2fa900777bb6396c538b7c126a73b66e0 /KMemDriver
parent: e10481772d53ca28f6b1b17cc24c6cee090707ff (diff)
5 files changed, 194 insertions, 73 deletions
diff --git a/KMemDriver/KMemDriver.c b/KMemDriver/KMemDriver.c
index 290a86c..c891736 100644
--- a/KMemDriver/KMemDriver.c
+++ b/KMemDriver/KMemDriver.c
@@ -111,6 +111,10 @@ NTSTATUS VADProtect(
 	IN ULONG_PTR address,
 	IN ULONG prot
 );
+PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(
+	PVOID pHandleTable,
+	HANDLE handle
+);
 
 #pragma alloc_text(PAGE, WaitForControlProcess)
 #pragma alloc_text(PAGE, VerifyControlProcess)
@@ -129,6 +133,7 @@ NTSTATUS VADProtect(
 #pragma alloc_text(PAGE, VADFindNodeOrParent)
 #pragma alloc_text(PAGE, VADFind)
 #pragma alloc_text(PAGE, VADProtect)
+#pragma alloc_text(PAGE, ExpLookupHandleTableEntry)
 
 static void fn_zero_text(PVOID fn_start);
 static HANDLE ctrlPID;
@@ -675,6 +680,10 @@ NTSTATUS UpdatePPEPIfRequired(
 				KDBG("VSIZE........: %d\n", *((UINT64 *)pep + 0x338));
 				KDBG("IMAGEFILENAME: %.*s\n", 15, ((const char *)pep + 0x450));
 #endif
+#if 0
+				PVOID handleTable = (PVOID)((ULONG_PTR)pep + 0x418);
+				KDBG("lastPROC HandleTableEntry: %p\n", ExpLookupHandleTableEntry(handleTable, *lastPROC));
+#endif
 			}
 		}
 	}
@@ -846,79 +855,6 @@ NTSTATUS GetModules(
 	return STATUS_SUCCESS;
 }
 
-NTSTATUS KeReadVirtualMemory(
-	IN PEPROCESS Process, IN PVOID SourceAddress,
-	IN PVOID TargetAddress, IN PSIZE_T Size
-)
-{
-	NTSTATUS status;
-	SIZE_T Bytes = 0;
-
-	status = MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
-		TargetAddress, *Size, KernelMode, &Bytes);
-	if (NT_SUCCESS(status))
-	{
-		*Size = Bytes;
-		return STATUS_SUCCESS;
-	}
-	else {
-		return status;
-	}
-}
-
-NTSTATUS KeWriteVirtualMemory(
-	IN PEPROCESS Process, IN PVOID SourceAddress,
-	IN PVOID TargetAddress, IN PSIZE_T Size
-)
-{
-	NTSTATUS status;
-	SIZE_T Bytes = 0;
-
-	status = MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
-		TargetAddress, *Size, KernelMode, &Bytes);
-	if (NT_SUCCESS(status))
-	{
-		*Size = Bytes;
-		return STATUS_SUCCESS;
-	}
-	else {
-		return status;
-	}
-}
-
-NTSTATUS KeProtectVirtualMemory(
-	IN HANDLE hProcess, IN PVOID addr,
-	IN SIZE_T siz, IN ULONG new_prot,
-	OUT ULONG *old_prot
-)
-{
-	NTSTATUS status;
-	PVOID prot_addr = addr;
-	SIZE_T prot_size = siz;
-	ULONG prot = 0;
-
-	status = ZwProtectVirtualMemory(hProcess, &prot_addr,
-		&prot_size, new_prot, &prot);
-	if (NT_SUCCESS(status)) {
-		*old_prot = prot;
-	}
-	return status;
-}
-
-NTSTATUS KeRestoreProtectVirtualMemory(IN HANDLE hProcess,
-	IN PVOID addr, IN SIZE_T siz,
-	IN ULONG old_prot)
-{
-	NTSTATUS status;
-	PVOID prot_addr = addr;
-	SIZE_T prot_size = siz;
-	ULONG prot = 0;
-
-	status = ZwProtectVirtualMemory(hProcess, &prot_addr,
-		&prot_size, old_prot, &prot);
-	return status;
-}
-
 static void fn_zero_text(PVOID fn_start)
 {
 	SIZE_T i;
@@ -1085,4 +1021,29 @@ NTSTATUS VADProtect(
 		pVadShort->u.VadFlags.Protection = prot;
 
 	return status;
+}
+
+PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(PVOID pHandleTable, HANDLE handle)
+{
+	unsigned __int64 v2; // rdx
+	__int64 v3; // r8
+	signed __int64 v4; // rax
+	__int64 v5; // rax
+
+	v2 = (__int64)handle & 0xFFFFFFFFFFFFFFFCui64;
+	if (v2 >= *(DWORD*)pHandleTable)
+		return 0i64;
+	v3 = *((uintptr_t*)pHandleTable + 1);
+	v4 = *((uintptr_t *)pHandleTable + 1) & 3i64;
+	if ((UINT32)v4 == 1)
+	{
+		v5 = *(uintptr_t*)(v3 + 8 * (v2 >> 10) - 1);
+		return (PHANDLE_TABLE_ENTRY)(v5 + 4 * (v2 & 0x3FF));
+	}
+	if ((UINT32)v4)
+	{
+		v5 = *(uintptr_t*)(*(uintptr_t *)(v3 + 8 * (v2 >> 19) - 2) + 8 * ((v2 >> 10) & 0x1FF));
+		return (PHANDLE_TABLE_ENTRY)(v5 + 4 * (v2 & 0x3FF));
+	}
+	return (PHANDLE_TABLE_ENTRY)(v3 + 4 * v2);
 }
 \ No newline at end of file
diff --git a/KMemDriver/KMemDriver.vcxproj b/KMemDriver/KMemDriver.vcxproj
index 898b55d..7f1e95c 100644
--- a/KMemDriver/KMemDriver.vcxproj
+++ b/KMemDriver/KMemDriver.vcxproj
@@ -159,6 +159,7 @@
     <ClCompile>
       <PreprocessorDefinitions>KERNEL_MODULE;_DEBUG_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <AdditionalIncludeDirectories>$(SolutionDir)include;$(SolutionDir)$(SolutionName);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <ExceptionHandling>SyncCThrow</ExceptionHandling>
     </ClCompile>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -173,6 +174,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="KMemDriver.c" />
+    <ClCompile Include="Memory.c" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\include\KMemDriver.h" />
diff --git a/KMemDriver/KMemDriver.vcxproj.filters b/KMemDriver/KMemDriver.vcxproj.filters
index 218ceac..527bb33 100644
--- a/KMemDriver/KMemDriver.vcxproj.filters
+++ b/KMemDriver/KMemDriver.vcxproj.filters
@@ -25,5 +25,8 @@
     <ClCompile Include="KMemDriver.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="Memory.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
 \ No newline at end of file
diff --git a/KMemDriver/Memory.c b/KMemDriver/Memory.c
new file mode 100644
index 0000000..2cecae8
--- /dev/null
+++ b/KMemDriver/Memory.c
@@ -0,0 +1,95 @@
+#include "KMemDriver.h"
+#include "Imports.h"
+#include "Native.h"
+
+#include <ntddk.h>
+#include <Ntstrsafe.h>
+
+NTSTATUS KeReadVirtualMemory(
+	IN PEPROCESS Process, IN PVOID SourceAddress,
+	IN PVOID TargetAddress, IN PSIZE_T Size
+)
+{
+	NTSTATUS status;
+	SIZE_T Bytes = 0;
+
+	try {
+		status = MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
+			TargetAddress, *Size, KernelMode, &Bytes);
+	} except(STATUS_ACCESS_VIOLATION) {
+		return STATUS_ACCESS_VIOLATION;
+	}
+	if (NT_SUCCESS(status))
+	{
+		*Size = Bytes;
+		return STATUS_SUCCESS;
+	}
+	else {
+		return status;
+	}
+}
+
+NTSTATUS KeWriteVirtualMemory(
+	IN PEPROCESS Process, IN PVOID SourceAddress,
+	IN PVOID TargetAddress, IN PSIZE_T Size
+)
+{
+	NTSTATUS status;
+	SIZE_T Bytes = 0;
+
+	try {
+		status = MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
+			TargetAddress, *Size, KernelMode, &Bytes);
+	} except(STATUS_ACCESS_VIOLATION) {
+		return STATUS_ACCESS_VIOLATION;
+	}
+	if (NT_SUCCESS(status))
+	{
+		*Size = Bytes;
+		return STATUS_SUCCESS;
+	}
+	else {
+		return status;
+	}
+}
+
+NTSTATUS KeProtectVirtualMemory(
+	IN HANDLE hProcess, IN PVOID addr,
+	IN SIZE_T siz, IN ULONG new_prot,
+	OUT ULONG *old_prot
+)
+{
+	NTSTATUS status;
+	PVOID prot_addr = addr;
+	SIZE_T prot_size = siz;
+	ULONG prot = 0;
+
+	try {
+		status = ZwProtectVirtualMemory(hProcess, &prot_addr,
+			&prot_size, new_prot, &prot);
+		if (NT_SUCCESS(status)) {
+			*old_prot = prot;
+		}
+	} except(STATUS_ACCESS_VIOLATION) {
+		return STATUS_ACCESS_VIOLATION;
+	}
+	return status;
+}
+
+NTSTATUS KeRestoreProtectVirtualMemory(IN HANDLE hProcess,
+	IN PVOID addr, IN SIZE_T siz,
+	IN ULONG old_prot)
+{
+	NTSTATUS status;
+	PVOID prot_addr = addr;
+	SIZE_T prot_size = siz;
+	ULONG prot = 0;
+
+	try {
+		status = ZwProtectVirtualMemory(hProcess, &prot_addr,
+			&prot_size, old_prot, &prot);
+	} except(STATUS_ACCESS_VIOLATION) {
+		return STATUS_ACCESS_VIOLATION;
+	}
+	return status;
+}
+\ No newline at end of file
diff --git a/KMemDriver/Native.h b/KMemDriver/Native.h
index e19e3bd..326940e 100644
--- a/KMemDriver/Native.h
+++ b/KMemDriver/Native.h
@@ -231,5 +231,65 @@ typedef struct _RTL_AVL_TREE // Size=8
 	UINT64 NumberGenericTableElements;
 } RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
 
+typedef struct _HANDLE_TABLE_ENTRY_INFO {
+	UINT32 AuditMask;
+	UINT32 MaxRelativeAccessMask;
+} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _HANDLE_TABLE_ENTRY
+{
+	union
+	{
+		PVOID Object;
+		ULONG ObAttributes;
+		PHANDLE_TABLE_ENTRY_INFO InfoTable;
+		ULONG Value;
+	};
+	union
+	{
+		ULONG GrantedAccess;
+		struct
+		{
+			SHORT GrantedAccessIndex;
+			SHORT CreatorBackTraceIndex;
+		};
+		LONG NextFreeTableEntry;
+	};
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+
+typedef struct _HANDLE_TABLE_FREE_LIST
+{
+	EX_PUSH_LOCK FreeListLock;
+	PHANDLE_TABLE_ENTRY FirstFreeHandleEntry;
+	PHANDLE_TABLE_ENTRY LastFreeHandleEntry;
+	UINT32 HandleCount;
+	UINT32 HighWaterMark;
+} HANDLE_TABLE_FREE_LIST, *PHANDLE_TABLE_FREE_LIST;
+
+typedef struct _HANDLE_TABLE
+{
+	UINT32 NextHandleNeedingPool;
+	UINT32 ExtraInfoPages;
+	UINT32 TableCode;
+	PEPROCESS QuotaProcess;
+	LIST_ENTRY HandleTableList;
+	UINT32 UniqueProcessId;
+	union {
+		UINT32 Flags;
+		struct {
+			UINT32 StrictFIFO : 1;
+			UINT32 EnableHandleExceptions : 1;
+			UINT32 Rundown : 1;
+			UINT32 Duplicated : 1;
+			UINT32 RaiseUMExceptionOnInvalidHandleClose : 1;
+		};
+	};
+	EX_PUSH_LOCK HandleContentionEvent;
+	EX_PUSH_LOCK HandleTableLock;
+	HANDLE_TABLE_FREE_LIST FreeLists;
+	UCHAR ActualEntry[32];
+	PVOID DebugInfo;
+} PHANDLE_TABLE;
+
 #pragma pack(pop)
 #pragma warning(default : 4214 4201)
 \ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2019-08-20 23:45:20 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2019-08-20 23:45:20 +0200
commit	a3e36262204cc39ff1998cacbe4ceb35b9b073b5 (patch)
tree	f5223db2fa900777bb6396c538b7c126a73b66e0 /KMemDriver
parent	e10481772d53ca28f6b1b17cc24c6cee090707ff (diff)