From b15e90ab5ef30d606544c85695627e9e4c29d7a3 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Sun, 26 May 2024 21:37:40 +0200 Subject: Added MmMapIoSpaceEx. Signed-off-by: Toni Uhlig --- CRT/ntdll_zw_functions.c | 27 +++++++++++++++++++++++++++ CRT/ntdll_zw_functions.txt | 1 + 2 files changed, 28 insertions(+) (limited to 'CRT') diff --git a/CRT/ntdll_zw_functions.c b/CRT/ntdll_zw_functions.c index 3cd6fde..7fac930 100644 --- a/CRT/ntdll_zw_functions.c +++ b/CRT/ntdll_zw_functions.c @@ -8,6 +8,7 @@ extern "C" { #endif +typedef PVOID NTAPI (*MmMapIoSpaceEx_t) (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect); typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); typedef NTSTATUS NTAPI (*MmCopyVirtualMemory_t) (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize); @@ -18,6 +19,7 @@ typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection); typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); +static MmMapIoSpaceEx_t _MmMapIoSpaceEx = NULL; static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL; static MmCopyMemory_t _MmCopyMemory = NULL; static MmCopyVirtualMemory_t _MmCopyVirtualMemory = NULL; @@ -33,6 +35,21 @@ int __cdecl ntdll_zw_functions (void) int retval = 0; UNICODE_STRING fnName; +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"MmMapIoSpaceEx")); +#else + RtlInitUnicodeString(&fnName, L"MmMapIoSpaceEx"); +#endif + _MmMapIoSpaceEx = (MmMapIoSpaceEx_t)MmGetSystemRoutineAddress(&fnName); + if (_MmMapIoSpaceEx == NULL) + { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmMapIoSpaceEx not found.")); +#else + DbgPrint("%s\n", "System routine MmMapIoSpaceEx not found."); +#endif + retval++; + } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ObOpenObjectByPointer")); #else @@ -173,6 +190,16 @@ int __cdecl ntdll_zw_functions (void) } +PVOID NTAPI MmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) +{ + return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); +} + +PVOID NTAPI WrapperMmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) +{ + return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); +} + NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle) { if (_ObOpenObjectByPointer == NULL) diff --git a/CRT/ntdll_zw_functions.txt b/CRT/ntdll_zw_functions.txt index eeee056..76a9106 100644 --- a/CRT/ntdll_zw_functions.txt +++ b/CRT/ntdll_zw_functions.txt @@ -1,3 +1,4 @@ +PVOID NTAPI MmMapIoSpaceEx(_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect); NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); NTSTATUS NTAPI MmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize); -- cgit v1.2.3