Fixed missing last `Read<>()` offset in `ReadChain<>()`.

* added `ReadString()` * added `swap_process()` semantics Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2024-03-19 10:54:04 +0100
committer: Toni Uhlig <matzeton@googlemail.com> 2024-03-21 10:54:04 +0100
commit: 056e59808b9c06fd34286ea208af9854f6a29096 (patch)
tree: 7285a2c576a6563d8c59a4a2ced8cacf3973ead1
parent: ffd009ce14f5cf5a0a00b5477b54c518716d9eab (diff)
2 files changed, 39 insertions, 1 deletions
diff --git a/memory.cpp b/memory.cpp
index 366d619..b7fb27a 100644
--- a/memory.cpp
+++ b/memory.cpp
@@ -46,6 +46,31 @@ NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(_In_ PEPROCESS Process);
 static int g_waitCount = 100;
 static LONGLONG g_waitTimeout = (-1LL) * 10LL * 1000LL * 250LL; // 250ms
 
+auto get_process_cr3(PEPROCESS pe_process) -> uint64_t
+{
+    auto process_dirbase = *(uint64_t*)((uint8_t*)pe_process + 0x28);
+
+    if (!process_dirbase)
+        return *(uint64_t*)((uint8_t*)pe_process + 0x388);
+
+    return process_dirbase;
+}
+
+auto swap_process(PEPROCESS new_process) -> PEPROCESS
+{
+    auto current_thread = KeGetCurrentThread();
+
+    auto apc_state = *(uint64_t*)((uint64_t)current_thread + 0x98);
+    auto old_process = *(uint64_t*)(apc_state + 0x20);
+
+    *(uint64_t*)(apc_state + 0x20) = reinterpret_cast<uint64_t>(new_process);
+
+    auto dir_table_base = get_process_cr3(new_process);
+    __writecr3(dir_table_base);
+
+    return reinterpret_cast<PEPROCESS>(old_process);
+}
+
 void SetLdrInitWaitPrefs(int waitCount, LONGLONG waitTimeout) {
     g_waitCount = waitCount;
     g_waitTimeout = waitTimeout;
diff --git a/memory.hpp b/memory.hpp
index bb390c0..ff40d54 100644
--- a/memory.hpp
+++ b/memory.hpp
@@ -61,6 +61,9 @@ NTSTATUS WriteVirtualMemory(_In_ PEPROCESS pep, _In_ const UCHAR *sourceAddress,
                             _Out_ uint64_t targetAddress,
                             _In_ _Out_ SIZE_T *size);
 
+auto get_process_cr3(PEPROCESS pe_process) -> uint64_t;
+auto swap_process(PEPROCESS new_process) -> PEPROCESS;
+
 class Memory {
 public:
     Memory(_In_ PEPROCESS& pep) : m_pep(pep) {
@@ -99,7 +102,10 @@ public:
             if (!sourceAddress)
                 break;
         }
-        return Read<T>(sourceAddress);
+        if (chainedOffsets.size() == 0)
+            return Read<T>(sourceAddress);
+        else
+            return Read<T>(sourceAddress + chainedOffsets.back());
     }
 
     template<typename T, size_t N>
@@ -112,6 +118,13 @@ public:
         return Succeeded<T, N>();
     }
 
+    template<size_t N>
+    bool ReadString(uint64_t sourceAddress, char out[N]) {
+        const auto retval = ReadBuffer<char, N-1>(sourceAddress, out);
+        out[m_last_size] = '\0';
+        return retval;
+    }
+
     template<typename T>
     bool Write(uint64_t targetAddress, const T& writeData) {
         if (!IsValidAddress(targetAddress))
author	Toni Uhlig <matzeton@googlemail.com>	2024-03-19 10:54:04 +0100
committer	Toni Uhlig <matzeton@googlemail.com>	2024-03-21 10:54:04 +0100
commit	056e59808b9c06fd34286ea208af9854f6a29096 (patch)
tree	7285a2c576a6563d8c59a4a2ced8cacf3973ead1
parent	ffd009ce14f5cf5a0a00b5477b54c518716d9eab (diff)