aboutsummaryrefslogtreecommitdiff
path: root/KMemDriver
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2019-08-20 23:45:20 +0200
committerToni Uhlig <matzeton@googlemail.com>2019-08-20 23:45:20 +0200
commita3e36262204cc39ff1998cacbe4ceb35b9b073b5 (patch)
treef5223db2fa900777bb6396c538b7c126a73b66e0 /KMemDriver
parente10481772d53ca28f6b1b17cc24c6cee090707ff (diff)
exported KMemDriver virt mem related functions to an extra module
Diffstat (limited to 'KMemDriver')
-rw-r--r--KMemDriver/KMemDriver.c107
-rw-r--r--KMemDriver/KMemDriver.vcxproj2
-rw-r--r--KMemDriver/KMemDriver.vcxproj.filters3
-rw-r--r--KMemDriver/Memory.c95
-rw-r--r--KMemDriver/Native.h60
5 files changed, 194 insertions, 73 deletions
diff --git a/KMemDriver/KMemDriver.c b/KMemDriver/KMemDriver.c
index 290a86c..c891736 100644
--- a/KMemDriver/KMemDriver.c
+++ b/KMemDriver/KMemDriver.c
@@ -111,6 +111,10 @@ NTSTATUS VADProtect(
IN ULONG_PTR address,
IN ULONG prot
);
+PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(
+ PVOID pHandleTable,
+ HANDLE handle
+);
#pragma alloc_text(PAGE, WaitForControlProcess)
#pragma alloc_text(PAGE, VerifyControlProcess)
@@ -129,6 +133,7 @@ NTSTATUS VADProtect(
#pragma alloc_text(PAGE, VADFindNodeOrParent)
#pragma alloc_text(PAGE, VADFind)
#pragma alloc_text(PAGE, VADProtect)
+#pragma alloc_text(PAGE, ExpLookupHandleTableEntry)
static void fn_zero_text(PVOID fn_start);
static HANDLE ctrlPID;
@@ -675,6 +680,10 @@ NTSTATUS UpdatePPEPIfRequired(
KDBG("VSIZE........: %d\n", *((UINT64 *)pep + 0x338));
KDBG("IMAGEFILENAME: %.*s\n", 15, ((const char *)pep + 0x450));
#endif
+#if 0
+ PVOID handleTable = (PVOID)((ULONG_PTR)pep + 0x418);
+ KDBG("lastPROC HandleTableEntry: %p\n", ExpLookupHandleTableEntry(handleTable, *lastPROC));
+#endif
}
}
}
@@ -846,79 +855,6 @@ NTSTATUS GetModules(
return STATUS_SUCCESS;
}
-NTSTATUS KeReadVirtualMemory(
- IN PEPROCESS Process, IN PVOID SourceAddress,
- IN PVOID TargetAddress, IN PSIZE_T Size
-)
-{
- NTSTATUS status;
- SIZE_T Bytes = 0;
-
- status = MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
- TargetAddress, *Size, KernelMode, &Bytes);
- if (NT_SUCCESS(status))
- {
- *Size = Bytes;
- return STATUS_SUCCESS;
- }
- else {
- return status;
- }
-}
-
-NTSTATUS KeWriteVirtualMemory(
- IN PEPROCESS Process, IN PVOID SourceAddress,
- IN PVOID TargetAddress, IN PSIZE_T Size
-)
-{
- NTSTATUS status;
- SIZE_T Bytes = 0;
-
- status = MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
- TargetAddress, *Size, KernelMode, &Bytes);
- if (NT_SUCCESS(status))
- {
- *Size = Bytes;
- return STATUS_SUCCESS;
- }
- else {
- return status;
- }
-}
-
-NTSTATUS KeProtectVirtualMemory(
- IN HANDLE hProcess, IN PVOID addr,
- IN SIZE_T siz, IN ULONG new_prot,
- OUT ULONG *old_prot
-)
-{
- NTSTATUS status;
- PVOID prot_addr = addr;
- SIZE_T prot_size = siz;
- ULONG prot = 0;
-
- status = ZwProtectVirtualMemory(hProcess, &prot_addr,
- &prot_size, new_prot, &prot);
- if (NT_SUCCESS(status)) {
- *old_prot = prot;
- }
- return status;
-}
-
-NTSTATUS KeRestoreProtectVirtualMemory(IN HANDLE hProcess,
- IN PVOID addr, IN SIZE_T siz,
- IN ULONG old_prot)
-{
- NTSTATUS status;
- PVOID prot_addr = addr;
- SIZE_T prot_size = siz;
- ULONG prot = 0;
-
- status = ZwProtectVirtualMemory(hProcess, &prot_addr,
- &prot_size, old_prot, &prot);
- return status;
-}
-
static void fn_zero_text(PVOID fn_start)
{
SIZE_T i;
@@ -1085,4 +1021,29 @@ NTSTATUS VADProtect(
pVadShort->u.VadFlags.Protection = prot;
return status;
+}
+
+PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry(PVOID pHandleTable, HANDLE handle)
+{
+ unsigned __int64 v2; // rdx
+ __int64 v3; // r8
+ signed __int64 v4; // rax
+ __int64 v5; // rax
+
+ v2 = (__int64)handle & 0xFFFFFFFFFFFFFFFCui64;
+ if (v2 >= *(DWORD*)pHandleTable)
+ return 0i64;
+ v3 = *((uintptr_t*)pHandleTable + 1);
+ v4 = *((uintptr_t *)pHandleTable + 1) & 3i64;
+ if ((UINT32)v4 == 1)
+ {
+ v5 = *(uintptr_t*)(v3 + 8 * (v2 >> 10) - 1);
+ return (PHANDLE_TABLE_ENTRY)(v5 + 4 * (v2 & 0x3FF));
+ }
+ if ((UINT32)v4)
+ {
+ v5 = *(uintptr_t*)(*(uintptr_t *)(v3 + 8 * (v2 >> 19) - 2) + 8 * ((v2 >> 10) & 0x1FF));
+ return (PHANDLE_TABLE_ENTRY)(v5 + 4 * (v2 & 0x3FF));
+ }
+ return (PHANDLE_TABLE_ENTRY)(v3 + 4 * v2);
} \ No newline at end of file
diff --git a/KMemDriver/KMemDriver.vcxproj b/KMemDriver/KMemDriver.vcxproj
index 898b55d..7f1e95c 100644
--- a/KMemDriver/KMemDriver.vcxproj
+++ b/KMemDriver/KMemDriver.vcxproj
@@ -159,6 +159,7 @@
<ClCompile>
<PreprocessorDefinitions>KERNEL_MODULE;_DEBUG_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(SolutionDir)include;$(SolutionDir)$(SolutionName);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+ <ExceptionHandling>SyncCThrow</ExceptionHandling>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -173,6 +174,7 @@
</ItemGroup>
<ItemGroup>
<ClCompile Include="KMemDriver.c" />
+ <ClCompile Include="Memory.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\include\KMemDriver.h" />
diff --git a/KMemDriver/KMemDriver.vcxproj.filters b/KMemDriver/KMemDriver.vcxproj.filters
index 218ceac..527bb33 100644
--- a/KMemDriver/KMemDriver.vcxproj.filters
+++ b/KMemDriver/KMemDriver.vcxproj.filters
@@ -25,5 +25,8 @@
<ClCompile Include="KMemDriver.c">
<Filter>Source Files</Filter>
</ClCompile>
+ <ClCompile Include="Memory.c">
+ <Filter>Source Files</Filter>
+ </ClCompile>
</ItemGroup>
</Project> \ No newline at end of file
diff --git a/KMemDriver/Memory.c b/KMemDriver/Memory.c
new file mode 100644
index 0000000..2cecae8
--- /dev/null
+++ b/KMemDriver/Memory.c
@@ -0,0 +1,95 @@
+#include "KMemDriver.h"
+#include "Imports.h"
+#include "Native.h"
+
+#include <ntddk.h>
+#include <Ntstrsafe.h>
+
+NTSTATUS KeReadVirtualMemory(
+ IN PEPROCESS Process, IN PVOID SourceAddress,
+ IN PVOID TargetAddress, IN PSIZE_T Size
+)
+{
+ NTSTATUS status;
+ SIZE_T Bytes = 0;
+
+ try {
+ status = MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
+ TargetAddress, *Size, KernelMode, &Bytes);
+ } except(STATUS_ACCESS_VIOLATION) {
+ return STATUS_ACCESS_VIOLATION;
+ }
+ if (NT_SUCCESS(status))
+ {
+ *Size = Bytes;
+ return STATUS_SUCCESS;
+ }
+ else {
+ return status;
+ }
+}
+
+NTSTATUS KeWriteVirtualMemory(
+ IN PEPROCESS Process, IN PVOID SourceAddress,
+ IN PVOID TargetAddress, IN PSIZE_T Size
+)
+{
+ NTSTATUS status;
+ SIZE_T Bytes = 0;
+
+ try {
+ status = MmCopyVirtualMemory(PsGetCurrentProcess(), SourceAddress, Process,
+ TargetAddress, *Size, KernelMode, &Bytes);
+ } except(STATUS_ACCESS_VIOLATION) {
+ return STATUS_ACCESS_VIOLATION;
+ }
+ if (NT_SUCCESS(status))
+ {
+ *Size = Bytes;
+ return STATUS_SUCCESS;
+ }
+ else {
+ return status;
+ }
+}
+
+NTSTATUS KeProtectVirtualMemory(
+ IN HANDLE hProcess, IN PVOID addr,
+ IN SIZE_T siz, IN ULONG new_prot,
+ OUT ULONG *old_prot
+)
+{
+ NTSTATUS status;
+ PVOID prot_addr = addr;
+ SIZE_T prot_size = siz;
+ ULONG prot = 0;
+
+ try {
+ status = ZwProtectVirtualMemory(hProcess, &prot_addr,
+ &prot_size, new_prot, &prot);
+ if (NT_SUCCESS(status)) {
+ *old_prot = prot;
+ }
+ } except(STATUS_ACCESS_VIOLATION) {
+ return STATUS_ACCESS_VIOLATION;
+ }
+ return status;
+}
+
+NTSTATUS KeRestoreProtectVirtualMemory(IN HANDLE hProcess,
+ IN PVOID addr, IN SIZE_T siz,
+ IN ULONG old_prot)
+{
+ NTSTATUS status;
+ PVOID prot_addr = addr;
+ SIZE_T prot_size = siz;
+ ULONG prot = 0;
+
+ try {
+ status = ZwProtectVirtualMemory(hProcess, &prot_addr,
+ &prot_size, old_prot, &prot);
+ } except(STATUS_ACCESS_VIOLATION) {
+ return STATUS_ACCESS_VIOLATION;
+ }
+ return status;
+} \ No newline at end of file
diff --git a/KMemDriver/Native.h b/KMemDriver/Native.h
index e19e3bd..326940e 100644
--- a/KMemDriver/Native.h
+++ b/KMemDriver/Native.h
@@ -231,5 +231,65 @@ typedef struct _RTL_AVL_TREE // Size=8
UINT64 NumberGenericTableElements;
} RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
+typedef struct _HANDLE_TABLE_ENTRY_INFO {
+ UINT32 AuditMask;
+ UINT32 MaxRelativeAccessMask;
+} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _HANDLE_TABLE_ENTRY
+{
+ union
+ {
+ PVOID Object;
+ ULONG ObAttributes;
+ PHANDLE_TABLE_ENTRY_INFO InfoTable;
+ ULONG Value;
+ };
+ union
+ {
+ ULONG GrantedAccess;
+ struct
+ {
+ SHORT GrantedAccessIndex;
+ SHORT CreatorBackTraceIndex;
+ };
+ LONG NextFreeTableEntry;
+ };
+} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
+
+typedef struct _HANDLE_TABLE_FREE_LIST
+{
+ EX_PUSH_LOCK FreeListLock;
+ PHANDLE_TABLE_ENTRY FirstFreeHandleEntry;
+ PHANDLE_TABLE_ENTRY LastFreeHandleEntry;
+ UINT32 HandleCount;
+ UINT32 HighWaterMark;
+} HANDLE_TABLE_FREE_LIST, *PHANDLE_TABLE_FREE_LIST;
+
+typedef struct _HANDLE_TABLE
+{
+ UINT32 NextHandleNeedingPool;
+ UINT32 ExtraInfoPages;
+ UINT32 TableCode;
+ PEPROCESS QuotaProcess;
+ LIST_ENTRY HandleTableList;
+ UINT32 UniqueProcessId;
+ union {
+ UINT32 Flags;
+ struct {
+ UINT32 StrictFIFO : 1;
+ UINT32 EnableHandleExceptions : 1;
+ UINT32 Rundown : 1;
+ UINT32 Duplicated : 1;
+ UINT32 RaiseUMExceptionOnInvalidHandleClose : 1;
+ };
+ };
+ EX_PUSH_LOCK HandleContentionEvent;
+ EX_PUSH_LOCK HandleTableLock;
+ HANDLE_TABLE_FREE_LIST FreeLists;
+ UCHAR ActualEntry[32];
+ PVOID DebugInfo;
+} PHANDLE_TABLE;
+
#pragma pack(pop)
#pragma warning(default : 4214 4201) \ No newline at end of file