Fixed missing last `Read<>()` offset in `ReadChain<>()`.

* added `ReadString()` * added `swap_process()` semantics Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2024-03-19 10:54:04 +0100
committer: Toni Uhlig <matzeton@googlemail.com> 2024-03-21 10:54:04 +0100
commit: 056e59808b9c06fd34286ea208af9854f6a29096 (patch)
tree: 7285a2c576a6563d8c59a4a2ced8cacf3973ead1 /memory.cpp
parent: ffd009ce14f5cf5a0a00b5477b54c518716d9eab (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/memory.cpp b/memory.cpp
index 366d619..b7fb27a 100644
--- a/memory.cpp
+++ b/memory.cpp
@@ -46,6 +46,31 @@ NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(_In_ PEPROCESS Process);
 static int g_waitCount = 100;
 static LONGLONG g_waitTimeout = (-1LL) * 10LL * 1000LL * 250LL; // 250ms
 
+auto get_process_cr3(PEPROCESS pe_process) -> uint64_t
+{
+    auto process_dirbase = *(uint64_t*)((uint8_t*)pe_process + 0x28);
+
+    if (!process_dirbase)
+        return *(uint64_t*)((uint8_t*)pe_process + 0x388);
+
+    return process_dirbase;
+}
+
+auto swap_process(PEPROCESS new_process) -> PEPROCESS
+{
+    auto current_thread = KeGetCurrentThread();
+
+    auto apc_state = *(uint64_t*)((uint64_t)current_thread + 0x98);
+    auto old_process = *(uint64_t*)(apc_state + 0x20);
+
+    *(uint64_t*)(apc_state + 0x20) = reinterpret_cast<uint64_t>(new_process);
+
+    auto dir_table_base = get_process_cr3(new_process);
+    __writecr3(dir_table_base);
+
+    return reinterpret_cast<PEPROCESS>(old_process);
+}
+
 void SetLdrInitWaitPrefs(int waitCount, LONGLONG waitTimeout) {
     g_waitCount = waitCount;
     g_waitTimeout = waitTimeout;
author	Toni Uhlig <matzeton@googlemail.com>	2024-03-19 10:54:04 +0100
committer	Toni Uhlig <matzeton@googlemail.com>	2024-03-21 10:54:04 +0100
commit	056e59808b9c06fd34286ea208af9854f6a29096 (patch)
tree	7285a2c576a6563d8c59a4a2ced8cacf3973ead1 /memory.cpp
parent	ffd009ce14f5cf5a0a00b5477b54c518716d9eab (diff)