noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

smol fixes c:

Browse source
This commit is contained in:
lhodges1 2023-09-17 19:23:32 +10:00
parent 543770ecba
commit 86316e9bbf
2 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
driver/common.h
View file

@ -53,6 +53,8 @@
#define OBJECT_HEADER_SIZE 0x30
#define OBJECT_HEADER_TYPE_INDEX_OFFSET 0x018
#define POOL_HEADER_BLOCK_SIZE_OFFSET 0x02
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_1 0x70
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_2 0x80
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_3 0x30

10
driver/pool.c
View file

@ -142,7 +142,7 @@ BOOLEAN ValidateIfAddressIsProcessStructure(
if ( MmIsAddressValid( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET ) )
peak_virtual_size = *( UINT64* )( ( UINT64 )Address + EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET );
if ( MmIsAddressValid( ( UINT64 )PoolHeader + 0x02 ) )
if ( MmIsAddressValid( ( UINT64 )PoolHeader + POOL_HEADER_BLOCK_SIZE_OFFSET ) )
allocation_size = PoolHeader->BlockSize * CHUNK_SIZE - sizeof( POOL_HEADER );
if ( MmIsAddressValid( ( UINT64 )Address + EPROCESS_PEB_OFFSET ) )
@ -155,10 +155,10 @@ BOOLEAN ValidateIfAddressIsProcessStructure(
object_table_test = object_table == NULL || ( object_table & 0xe0000000 == 0xe0000000 && object_table % 0x8 == 0 );
allocation_size_test = allocation_size & 0xfff0;
if ( peak_virtual_size > 0 && ( dir_table_base & 0x20 ) == 0 && allocation_size > EPROCESS_SIZE &&
if ( peak_virtual_size > 0 && ( dir_table_base & 0x20 ) == 0 &&
allocation_size > ( EPROCESS_SIZE + OBJECT_HEADER_SIZE + sizeof( POOL_HEADER ) ) &&
PoolHeader->PoolType != NULL && !( allocation_size_test == 0xfff0 ) && !peb_test && !object_table_test )
{
DEBUG_LOG( "Virtual size: %llx, allocation size: %llx", peak_virtual_size, allocation_size );
return TRUE;
}
@ -237,7 +237,7 @@ VOID ScanPageForKernelObjectAllocation(
if ( !MmIsAddressValid( ( PVOID )pool_header ) )
break;
for ( ULONG header_size = 0x00; header_size < 0xb0; header_size += 0x10 )
for ( ULONG header_size = 0x30; header_size < 0xb0; header_size += 0x10 )
{
test_process = ( PEPROCESS )( ( UINT64 )pool_header + sizeof( POOL_HEADER ) + header_size );
@ -581,6 +581,8 @@ NTSTATUS FindUnlinkedProcesses(
WalkKernelPageTables( process_buffer );
__debugbreak();
EnumerateProcessListWithCallbackFunction(
CheckIfProcessAllocationIsInProcessList,
NULL