mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
pool scan changes
This commit is contained in:
lhodges1
parent
6cac089f5c
commit
183a130eed
14 changed files with 144 additions and 176 deletions
34
ac.sln
34
ac.sln
|
|
@ -11,7 +11,7 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "service", "service\service.
|
|||
EndProject
|
||||
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "server", "server\server.csproj", "{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}"
|
||||
EndProject
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "debuglib", "debuglib\debuglib.vcxproj", "{BD01B133-A4BF-4292-A261-6530CBC1A481}"
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "debuglib", "debuglib\debuglib.vcxproj", "{E21EB277-0001-4AD3-9131-06098BAF81A2}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
|
|
@ -97,22 +97,22 @@ Global
|
|||
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x64.Build.0 = Release|Any CPU
|
||||
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x86.ActiveCfg = Release|Any CPU
|
||||
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x86.Build.0 = Release|Any CPU
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|Any CPU.ActiveCfg = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|Any CPU.Build.0 = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|ARM64.ActiveCfg = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|ARM64.Build.0 = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|x64.Build.0 = Debug|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Debug|x86.Build.0 = Debug|Win32
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|Any CPU.ActiveCfg = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|Any CPU.Build.0 = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|ARM64.ActiveCfg = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|ARM64.Build.0 = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|x64.ActiveCfg = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|x64.Build.0 = Release|x64
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|x86.ActiveCfg = Release|Win32
|
||||
{BD01B133-A4BF-4292-A261-6530CBC1A481}.Release|x86.Build.0 = Release|Win32
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|Any CPU.ActiveCfg = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|Any CPU.Build.0 = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|ARM64.ActiveCfg = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|ARM64.Build.0 = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|x64.Build.0 = Debug|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Debug|x86.Build.0 = Debug|Win32
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|Any CPU.ActiveCfg = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|Any CPU.Build.0 = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|ARM64.ActiveCfg = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|ARM64.Build.0 = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|x64.ActiveCfg = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|x64.Build.0 = Release|x64
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|x86.ActiveCfg = Release|Win32
|
||||
{E21EB277-0001-4AD3-9131-06098BAF81A2}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>17.0</VCProjectVersion>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<ProjectGuid>{bd01b133-a4bf-4292-a261-6530cbc1a481}</ProjectGuid>
|
||||
<ProjectGuid>{e21eb277-0001-4ad3-9131-06098baf81a2}</ProjectGuid>
|
||||
<RootNamespace>debuglib</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="symbols.h">
|
||||
<Filter>Header Files</Filter>
|
||||
<Filter>Source Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
|
@ -165,85 +165,87 @@ Exit:
|
|||
return result;
|
||||
}
|
||||
|
||||
VOID GetKernelStructureOffsets(KERNEL_STRUCTURE_OFFSETS* KernelOffsets)
|
||||
VOID GetKernelStructureOffsets( KERNEL_STRUCTURE_OFFSETS* KernelOffsets )
|
||||
{
|
||||
UINT64 kernel_base = NULL;
|
||||
HMODULE handle;
|
||||
HRESULT result;
|
||||
ULONG type_kprocess;
|
||||
ULONG type_eprocess;
|
||||
ULONG type_kthread;
|
||||
ULONG type_ethread;
|
||||
DebugCreateFunction dbg_create_function;
|
||||
PDEBUG_SYMBOLS symbols = nullptr;
|
||||
PDEBUG_DATA_SPACES4 data_spaces = nullptr;
|
||||
PDEBUG_CLIENT client = nullptr;
|
||||
PDEBUG_CONTROL debug_control = nullptr;
|
||||
PCSTR dump_path = "C:\\temp.dmp";
|
||||
UINT64 kernel_base = NULL;
|
||||
HMODULE handle;
|
||||
HRESULT result;
|
||||
ULONG type_kprocess;
|
||||
ULONG type_eprocess;
|
||||
ULONG type_kthread;
|
||||
ULONG type_ethread;
|
||||
DebugCreateFunction dbg_create_function;
|
||||
PDEBUG_SYMBOLS symbols = nullptr;
|
||||
PDEBUG_DATA_SPACES4 data_spaces = nullptr;
|
||||
PDEBUG_CLIENT client = nullptr;
|
||||
PDEBUG_CONTROL debug_control = nullptr;
|
||||
PCSTR dump_path = "C:\\temp.dmp";
|
||||
|
||||
result = CreateDump( dump_path );
|
||||
|
||||
if ( result != S_OK )
|
||||
return;
|
||||
|
||||
handle = GetModuleHandle( L"dbgeng.dll" );
|
||||
handle = GetModuleHandle( L"dbgeng.dll" );
|
||||
|
||||
if ( handle == NULL )
|
||||
return;
|
||||
if ( handle == NULL )
|
||||
return;
|
||||
|
||||
dbg_create_function = ( DebugCreateFunction )GetProcAddress( handle, "DebugCreate" );
|
||||
dbg_create_function = ( DebugCreateFunction )GetProcAddress( handle, "DebugCreate" );
|
||||
|
||||
if ( dbg_create_function == NULL )
|
||||
return;
|
||||
if ( dbg_create_function == NULL )
|
||||
return;
|
||||
|
||||
result = dbg_create_function( __uuidof( IDebugClient ), ( PVOID* )&client );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
result = client->QueryInterface( __uuidof( IDebugSymbols ), ( PVOID* )&symbols );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
result = client->QueryInterface( __uuidof( IDebugDataSpaces ), ( PVOID* )&data_spaces );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
result = client->QueryInterface( __uuidof( IDebugControl ), ( PVOID* )&debug_control );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
result = client->OpenDumpFile( dump_path );
|
||||
|
||||
//result = debug_control->WaitForEvent( DEBUG_WAIT_DEFAULT, INFINITE );
|
||||
result = dbg_create_function( __uuidof( IDebugClient ), ( PVOID* )&client );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
data_spaces->ReadDebuggerData( DEBUG_DATA_KernBase, &kernel_base, sizeof( UINT64 ), nullptr );
|
||||
result = client->QueryInterface( __uuidof( IDebugSymbols ), ( PVOID* )&symbols );
|
||||
|
||||
symbols->GetTypeId( kernel_base, "_KPROCESS", &type_kprocess );
|
||||
symbols->GetTypeId( kernel_base, "_EPROCESS", &type_eprocess );
|
||||
symbols->GetTypeId( kernel_base, "_KTHREAD", &type_kthread );
|
||||
symbols->GetTypeId( kernel_base, "_ETHREAD", &type_ethread );
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_kprocess, "ThreadListHead", &KernelOffsets->KPROCESS.thread_list_head );
|
||||
symbols->GetFieldOffset( kernel_base, type_kprocess, "DirectoryTableBase", &KernelOffsets->KPROCESS.directory_table_base );
|
||||
result = client->QueryInterface( __uuidof( IDebugDataSpaces ), ( PVOID* )&data_spaces );
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "PeakVirtualSize", &KernelOffsets->EPROCESS.peak_virtual_size );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "VadRoot", &KernelOffsets->EPROCESS.vad_root );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "ObjectTable", &KernelOffsets->EPROCESS.object_table );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "ImageFileName", &KernelOffsets->EPROCESS.image_name );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "Peb", &KernelOffsets->EPROCESS.process_environment_block );
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StackBase", &KernelOffsets->KTHREAD.stack_base );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StackLimit", &KernelOffsets->KTHREAD.stack_limit );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "ThreadListEntry", &KernelOffsets->KTHREAD.threadlist );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "ApcState", &KernelOffsets->KTHREAD.apc_state );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StartAddress", &KernelOffsets->KTHREAD.start_address );
|
||||
result = client->QueryInterface( __uuidof( IDebugControl ), ( PVOID* )&debug_control );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
result = client->OpenDumpFile( dump_path );
|
||||
|
||||
result = debug_control->WaitForEvent( DEBUG_WAIT_DEFAULT, INFINITE );
|
||||
|
||||
if ( result != S_OK )
|
||||
goto end;
|
||||
|
||||
|
||||
|
||||
data_spaces->ReadDebuggerData( DEBUG_DATA_KernBase, &kernel_base, sizeof( UINT64 ), nullptr );
|
||||
|
||||
symbols->GetTypeId( kernel_base, "_KPROCESS", &type_kprocess );
|
||||
symbols->GetTypeId( kernel_base, "_EPROCESS", &type_eprocess );
|
||||
symbols->GetTypeId( kernel_base, "_KTHREAD", &type_kthread );
|
||||
symbols->GetTypeId( kernel_base, "_ETHREAD", &type_ethread );
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_kprocess, "ThreadListHead", &KernelOffsets->KPROCESS.thread_list_head );
|
||||
symbols->GetFieldOffset( kernel_base, type_kprocess, "DirectoryTableBase", &KernelOffsets->KPROCESS.directory_table_base );
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "PeakVirtualSize", &KernelOffsets->EPROCESS.peak_virtual_size );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "VadRoot", &KernelOffsets->EPROCESS.vad_root );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "ObjectTable", &KernelOffsets->EPROCESS.object_table );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "ImageFileName", &KernelOffsets->EPROCESS.image_name );
|
||||
symbols->GetFieldOffset( kernel_base, type_eprocess, "Peb", &KernelOffsets->EPROCESS.process_environment_block );
|
||||
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StackBase", &KernelOffsets->KTHREAD.stack_base );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StackLimit", &KernelOffsets->KTHREAD.stack_limit );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "ThreadListEntry", &KernelOffsets->KTHREAD.threadlist );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "ApcState", &KernelOffsets->KTHREAD.apc_state );
|
||||
symbols->GetFieldOffset( kernel_base, type_kthread, "StartAddress", &KernelOffsets->KTHREAD.start_address );
|
||||
|
||||
end:
|
||||
|
||||
|
|
@ -253,12 +255,12 @@ end:
|
|||
client->Release();
|
||||
}
|
||||
|
||||
if ( symbols != nullptr )
|
||||
symbols->Release();
|
||||
if ( symbols != nullptr )
|
||||
symbols->Release();
|
||||
|
||||
if ( data_spaces != nullptr )
|
||||
data_spaces->Release();
|
||||
if ( data_spaces != nullptr )
|
||||
data_spaces->Release();
|
||||
|
||||
if ( debug_control != nullptr )
|
||||
debug_control->Release();
|
||||
}
|
||||
if ( debug_control != nullptr )
|
||||
debug_control->Release();
|
||||
}
|
||||
|
|
@ -111,29 +111,29 @@ typedef HRESULT( *DebugCreateFunction )( _In_ REFIID, _Out_ PVOID* );
|
|||
|
||||
struct KERNEL_STRUCTURE_OFFSETS
|
||||
{
|
||||
struct KPROCESS
|
||||
{
|
||||
ULONG thread_list_head;
|
||||
ULONG directory_table_base;
|
||||
}KPROCESS;
|
||||
struct KPROCESS
|
||||
{
|
||||
ULONG thread_list_head;
|
||||
ULONG directory_table_base;
|
||||
}KPROCESS;
|
||||
|
||||
struct EPROCESS
|
||||
{
|
||||
ULONG peak_virtual_size;
|
||||
ULONG vad_root;
|
||||
ULONG object_table;
|
||||
ULONG image_name;
|
||||
ULONG process_environment_block;
|
||||
}EPROCESS;
|
||||
struct EPROCESS
|
||||
{
|
||||
ULONG peak_virtual_size;
|
||||
ULONG vad_root;
|
||||
ULONG object_table;
|
||||
ULONG image_name;
|
||||
ULONG process_environment_block;
|
||||
}EPROCESS;
|
||||
|
||||
struct KTHREAD
|
||||
{
|
||||
ULONG stack_base;
|
||||
ULONG stack_limit;
|
||||
ULONG threadlist;
|
||||
ULONG apc_state;
|
||||
ULONG start_address;
|
||||
}KTHREAD;
|
||||
struct KTHREAD
|
||||
{
|
||||
ULONG stack_base;
|
||||
ULONG stack_limit;
|
||||
ULONG threadlist;
|
||||
ULONG apc_state;
|
||||
ULONG start_address;
|
||||
}KTHREAD;
|
||||
};
|
||||
|
||||
VOID GetKernelStructureOffsets( KERNEL_STRUCTURE_OFFSETS* KernelOffsets );
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@
|
|||
|
||||
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_1 0x70
|
||||
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_2 0x80
|
||||
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_3 0x30
|
||||
#define EPROCESS_SIZE 0xa40
|
||||
|
||||
#define KPCRB_CURRENT_THREAD 0x8
|
||||
|
|
|
|||
|
|
@ -132,27 +132,23 @@ BOOLEAN ValidateIfAddressIsProcessStructure(
|
|||
UINT64 allocation_size = NULL;
|
||||
UINT64 peb = NULL;
|
||||
UINT64 object_table = NULL;
|
||||
UINT32 pool_type = NULL;
|
||||
BOOLEAN peb_test = FALSE;
|
||||
BOOLEAN object_table_test = FALSE;
|
||||
UINT64 allocation_size_test = NULL;
|
||||
|
||||
if ( MmIsAddressValid( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET ) )
|
||||
peak_virtual_size = *( UINT64* )( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET );
|
||||
|
||||
if ( MmIsAddressValid( ( UINT64 )Address + KPROCESS_DIRECTORY_TABLE_BASE_OFFSET ) )
|
||||
dir_table_base = *( UINT64* )( ( UINT64 )Address + KPROCESS_DIRECTORY_TABLE_BASE_OFFSET );
|
||||
|
||||
if ( MmIsAddressValid( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET ) )
|
||||
peak_virtual_size = *( UINT64* )( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET );
|
||||
|
||||
if ( MmIsAddressValid( ( UINT64 )PoolHeader + 0x02 ) )
|
||||
{
|
||||
allocation_size = PoolHeader->BlockSize * CHUNK_SIZE - sizeof( POOL_HEADER );
|
||||
pool_type = PoolHeader->PoolType;
|
||||
}
|
||||
|
||||
if ( MmIsAddressValid( ( UINT64 )Address + EPROCESS_PEB_OFFSET ) )
|
||||
peb = *( UINT64* )( ( UINT64 )Address + EPROCESS_PEB_OFFSET );
|
||||
|
||||
if (MmIsAddressValid((UINT64)Address + EPROCESS_OBJECT_TABLE_OFFSET ) )
|
||||
if ( MmIsAddressValid((UINT64)Address + EPROCESS_OBJECT_TABLE_OFFSET ) )
|
||||
object_table = *( UINT64* )( ( UINT64 )Address + EPROCESS_OBJECT_TABLE_OFFSET );
|
||||
|
||||
peb_test = peb == NULL || ( peb & 0x7ffd0000 == 0x7ffd0000 && peb % 0x1000 == NULL );
|
||||
|
|
@ -160,9 +156,9 @@ BOOLEAN ValidateIfAddressIsProcessStructure(
|
|||
allocation_size_test = allocation_size & 0xfff0;
|
||||
|
||||
if ( peak_virtual_size > 0 && ( dir_table_base & 0x20 ) == 0 && allocation_size > EPROCESS_SIZE &&
|
||||
pool_type != NULL && !( allocation_size_test == 0xfff0 ) && !peb_test && !object_table_test )
|
||||
PoolHeader->PoolType != NULL && !( allocation_size_test == 0xfff0 ) && !peb_test && !object_table_test )
|
||||
{
|
||||
DEBUG_LOG( "Virtual size: %llx, dir table base: %llx, allocation size: %llx", peak_virtual_size, dir_table_base, allocation_size );
|
||||
DEBUG_LOG( "Virtual size: %llx, allocation size: %llx", peak_virtual_size, allocation_size );
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
@ -215,6 +211,7 @@ VOID ScanPageForKernelObjectAllocation(
|
|||
PEPROCESS process = NULL;
|
||||
PEPROCESS process_size_one = NULL;
|
||||
PEPROCESS process_size_two = NULL;
|
||||
PEPROCESS test_process = NULL;
|
||||
LPCSTR process_name;
|
||||
PUINT64 address_list;
|
||||
ULONG allocation_size;
|
||||
|
|
@ -222,7 +219,7 @@ VOID ScanPageForKernelObjectAllocation(
|
|||
if ( !PageBase || !PageSize )
|
||||
return;
|
||||
|
||||
for ( INT offset = 0; offset <= PageSize - POOL_TAG_LENGTH; offset++ )
|
||||
for ( INT offset = 0; offset <= PageSize - POOL_TAG_LENGTH - EPROCESS_SIZE; offset++ )
|
||||
{
|
||||
for ( INT sig_index = 0; sig_index < POOL_TAG_LENGTH + 1; sig_index++ )
|
||||
{
|
||||
|
|
@ -239,28 +236,21 @@ VOID ScanPageForKernelObjectAllocation(
|
|||
if ( !MmIsAddressValid( ( PVOID )pool_header ) )
|
||||
break;
|
||||
|
||||
/*
|
||||
* All EPROCESS allocations contain the following header objects:
|
||||
*
|
||||
* -> OBJECT_HEADER with size 0x30
|
||||
* -> OBJECT_HEADER_HANDLE_TABLE with size 0x10
|
||||
* -> OBJECT_HEADER_QUOTA_INFO with size 0x20
|
||||
*
|
||||
* And a small number may an unknown additional header with size 0x10
|
||||
*/
|
||||
process_size_one = ( PEPROCESS )( ( UINT64 )pool_header + sizeof( POOL_HEADER ) + KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_1 );
|
||||
process_size_two = ( PEPROCESS )( ( UINT64 )pool_header + sizeof( POOL_HEADER ) + KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_2 );
|
||||
for ( ULONG header_size = 0x00; header_size < 0xb0; header_size += 0x10 )
|
||||
{
|
||||
test_process = ( PEPROCESS )( ( UINT64 )pool_header + sizeof( POOL_HEADER ) + header_size );
|
||||
|
||||
if ( ValidateIfAddressIsProcessStructure( process_size_one, pool_header ) )
|
||||
process = process_size_one;
|
||||
if ( ValidateIfAddressIsProcessStructure( test_process, pool_header ) )
|
||||
{
|
||||
process = test_process;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( process == NULL )
|
||||
{
|
||||
if ( ValidateIfAddressIsProcessStructure( process_size_two, pool_header ) )
|
||||
process = process_size_two;
|
||||
else
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
DEBUG_LOG( "Process: %llx", (UINT64)process );
|
||||
|
||||
address_list = ( PUINT64 )AddressBuffer;
|
||||
|
||||
|
|
@ -487,6 +477,9 @@ VOID WalkKernelPageTables( PVOID AddressBuffer )
|
|||
|
||||
physical.QuadPart = pd_entry.Bits.PhysicalAddress << PAGE_4KB_SHIFT;
|
||||
|
||||
if ( !MmIsAddressValid( pd_base + pd_index * sizeof( UINT64 ) ) )
|
||||
continue;
|
||||
|
||||
pt_base = MmGetVirtualForPhysical( physical );
|
||||
|
||||
if ( !pt_base || !MmIsAddressValid( pt_base ) )
|
||||
|
|
@ -611,19 +604,19 @@ NTSTATUS FindUnlinkedProcesses(
|
|||
if ( !report_buffer )
|
||||
goto end;
|
||||
|
||||
report_buffer->report_code = REPORT_INVALID_PROCESS_ALLOCATION;
|
||||
//report_buffer->report_code = REPORT_INVALID_PROCESS_ALLOCATION;
|
||||
|
||||
RtlCopyMemory(
|
||||
report_buffer->process,
|
||||
allocation_address[ i ],
|
||||
REPORT_INVALID_PROCESS_BUFFER_SIZE );
|
||||
//RtlCopyMemory(
|
||||
// report_buffer->process,
|
||||
// allocation_address[ i ],
|
||||
// REPORT_INVALID_PROCESS_BUFFER_SIZE );
|
||||
|
||||
Irp->IoStatus.Information = sizeof( INVALID_PROCESS_ALLOCATION_REPORT );
|
||||
//Irp->IoStatus.Information = sizeof( INVALID_PROCESS_ALLOCATION_REPORT );
|
||||
|
||||
RtlCopyMemory(
|
||||
Irp->AssociatedIrp.SystemBuffer,
|
||||
report_buffer,
|
||||
sizeof( INVALID_PROCESS_ALLOCATION_REPORT ) );
|
||||
//RtlCopyMemory(
|
||||
// Irp->AssociatedIrp.SystemBuffer,
|
||||
// report_buffer,
|
||||
// sizeof( INVALID_PROCESS_ALLOCATION_REPORT ) );
|
||||
}
|
||||
|
||||
end:
|
||||
|
|
|
|||
BIN
include/dbghelp.dll
Normal file
BIN
include/dbghelp.dll
Normal file
Binary file not shown.
BIN
include/symsrv.dll
Normal file
BIN
include/symsrv.dll
Normal file
Binary file not shown.
1
include/symsrv.yes
Normal file
1
include/symsrv.yes
Normal file
|
|
@ -0,0 +1 @@
|
|||
1
|
||||
|
|
@ -2,7 +2,6 @@
|
|||
#define COMMON_H
|
||||
|
||||
#include <stdio.h>
|
||||
#include "../debuglib/symbols.h"
|
||||
|
||||
#define LOG_INFO(fmt, ...) printf("[+] " fmt "\n", ##__VA_ARGS__)
|
||||
#define LOG_ERROR(fmt, ...) printf("[-] " fmt "\n", ##__VA_ARGS__)
|
||||
|
|
|
|||
|
|
@ -627,25 +627,6 @@ VOID kernelmode::Driver::SendClientHardwareInformation()
|
|||
&system_information, sizeof( global::headers::SYSTEM_INFORMATION ), CLIENT_SEND_SYSTEM_INFORMATION );
|
||||
}
|
||||
|
||||
#pragma comment(lib, "debuglib")
|
||||
|
||||
VOID GetKernelStructureOffsets()
|
||||
{
|
||||
KERNEL_STRUCTURE_OFFSETS offsets = { 0 };
|
||||
GetKernelStructureOffsets( &offsets );
|
||||
|
||||
LOG_INFO( "KPROCESS->ThreadListHead: %lx", offsets.KPROCESS.thread_list_head );
|
||||
LOG_INFO( "KPROCESS->DirectoryTableBase: %lx", offsets.KPROCESS.directory_table_base );
|
||||
|
||||
LOG_INFO( "EPROCESS->PeakVirtualSize: %lx", offsets.EPROCESS.peak_virtual_size );
|
||||
LOG_INFO( "EPROCESS->VadRoot: %lx", offsets.EPROCESS.vad_root );
|
||||
LOG_INFO( "EPROCESS->ObjectTable: %lx", offsets.EPROCESS.object_table );
|
||||
LOG_INFO( "EPROCESS->ImageFileName: %lx", offsets.EPROCESS.image_name );
|
||||
LOG_INFO( "EPROCESS->Peb: %lx", offsets.EPROCESS.process_environment_block );
|
||||
|
||||
LOG_INFO( "KTHREAD->StackBase: %lx", offsets.KTHREAD.stack_base );
|
||||
LOG_INFO( "KTHREAD->StackLimit: %lx", offsets.KTHREAD.stack_limit );
|
||||
LOG_INFO( "KTHREAD->ThreadListEntry: %lx", offsets.KTHREAD.threadlist );
|
||||
LOG_INFO( "KTHREAD->ApcState: %lx", offsets.KTHREAD.apc_state );
|
||||
LOG_INFO( "KTHREAD->StartAddress: %lx", offsets.KTHREAD.start_address );
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,8 +26,6 @@
|
|||
|
||||
#define MAX_MODULE_PATH 256
|
||||
|
||||
void GetKernelStructureOffsets();
|
||||
|
||||
namespace kernelmode
|
||||
{
|
||||
class Driver
|
||||
|
|
|
|||
|
|
@ -18,13 +18,6 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
|
|||
freopen_s( &file, "CONOUT$", "w", stdout );
|
||||
freopen_s( &file, "CONIN$", "r", stdin );
|
||||
|
||||
GetKernelStructureOffsets();
|
||||
|
||||
while ( true )
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
std::this_thread::sleep_for( std::chrono::seconds( 1 ) );
|
||||
|
||||
LPTSTR pipe_name = (LPTSTR)L"\\\\.\\pipe\\DonnaACPipe";
|
||||
|
|
|
|||
Loading…
Reference in a new issue