diff --git a/driver/driver.c b/driver/driver.c index cccb0b3..5b8cfda 100644 --- a/driver/driver.c +++ b/driver/driver.c @@ -108,7 +108,16 @@ NTSTATUS DriverEntry( config.protected_process_eprocess = NULL; config.protected_process_id = NULL; - WalkKernelPageTables(); + HANDLE handle; + PsCreateSystemThread( + &handle, + PROCESS_ALL_ACCESS, + NULL, + NULL, + NULL, + WalkKernelPageTables, + NULL + ); status = IoCreateDevice( DriverObject, diff --git a/driver/pool.c b/driver/pool.c index fb98c78..df4acfc 100644 --- a/driver/pool.c +++ b/driver/pool.c @@ -51,52 +51,41 @@ VOID ScanPageForProcessAllocations( _In_ ULONG PageSize ) { - CHAR process[] = "\x50\x72\x6F\x63"; + CHAR process[] = "\x50\x72\x6f\x63"; INT length = strlen( process ); - BOOLEAN found = TRUE; if ( !PageBase || !PageSize ) return; + PAGED_CODE(); + for ( INT offset = 0; offset <= PageSize - length; offset++ ) { - for ( INT sig_index = 0; sig_index < length; sig_index++ ) + for ( INT sig_index = 0; sig_index < length + 1; sig_index++ ) { if ( !MmIsAddressValid( PageBase + offset + sig_index ) ) - { - found = FALSE; break; - } CHAR current_char = *( PCHAR )( PageBase + offset + sig_index ); CHAR current_sig_byte = process[ sig_index ]; - if ( current_char != current_sig_byte ) + if ( sig_index == length ) { - found = FALSE; + PPOOL_HEADER pool_header = ( UINT64 )PageBase + offset - 0x04; + + if ( !MmIsAddressValid( (PVOID)pool_header ) ) + break; + + if ( pool_header->BlockSize * CHUNK_SIZE - sizeof(POOL_HEADER) == WIN_PROCESS_ALLOCATION_SIZE ) + { + DEBUG_LOG( "prolly found proc: %llx", (UINT64)pool_header + sizeof(POOL_HEADER) ); + } + break; } - } - if ( found ) - { - PPOOL_HEADER pool_header = PageBase + offset - POOL_TAG_SIZE; - - DEBUG_LOG( "Maybe found: %llx", ( UINT64 )pool_header ); - - ULONG test = ( ULONG )pool_header; - - if ( test & POOL_FLAG_NON_PAGED ) - { - DEBUG_LOG( "maybe found pool with non paged pool" ); - } - - //if ( pool_header->PoolType & POOL_FLAG_NON_PAGED && - // pool_header->PoolTag == 0x636f7250 ) - //{ - // DEBUG_LOG( "FOUND POOL at: %llx", ( UINT64 )pool_header ); - // break; - //} + if ( current_char != current_sig_byte ) + break; } } } @@ -169,6 +158,7 @@ VOID WalkKernelPageTables() UINT64 base_virtual_page; PHYSICAL_ADDRESS physical; PPHYSICAL_MEMORY_RANGE physical_memory_ranges; + KIRQL irql; physical_memory_ranges = MmGetPhysicalMemoryRangesEx2( NULL, NULL ); @@ -180,6 +170,12 @@ VOID WalkKernelPageTables() cr3.BitAddress = __readcr3(); + //KeRaiseIrql( DISPATCH_LEVEL, &irql ); + + PAGED_CODE(); + + _disable(); + physical.QuadPart = cr3.Bits.PhysicalAddress << PAGE_4KB_SHIFT; pml4_base.BitAddress = MmGetVirtualForPhysical( physical ); @@ -263,8 +259,8 @@ VOID WalkKernelPageTables() continue; /* this probably isnt needed but whatevs */ - if ( base_virtual_page < 0xfffff80000000000 && base_virtual_page > 0xffffffffffffffff ) - continue; + //if ( base_virtual_page < 0xfffff80000000000 || base_virtual_page > 0xffffffffffffffff ) + // continue; ScanPageForProcessAllocations( base_virtual_page, PAGE_BASE_SIZE ); } @@ -272,6 +268,10 @@ VOID WalkKernelPageTables() } } + _enable(); + + //KeLowerIrql( irql ); + DEBUG_LOG( "Finished scanning memory" ); } diff --git a/driver/pool.h b/driver/pool.h index 45c517e..50fe011 100644 --- a/driver/pool.h +++ b/driver/pool.h @@ -14,6 +14,10 @@ #define PAGE_BASE_SIZE 0x1000 #define POOL_TAG_SIZE 0x004 +#define WIN_PROCESS_ALLOCATION_SIZE 0xcf0 + +#define CHUNK_SIZE 16 + /* creds: https://www.unknowncheats.me/forum/2602838-post2.html */ typedef struct _DBGKD_DEBUG_DATA_HEADER64