diff --git a/driver/pool.c b/driver/pool.c index f35885f..7f34790 100644 --- a/driver/pool.c +++ b/driver/pool.c @@ -4,6 +4,8 @@ #include +PPHYSICAL_MEMORY_RANGE physical_memory_ranges = NULL; + PKDDEBUGGER_DATA64 GetGlobalDebuggerData() { CONTEXT context = { 0 }; @@ -54,21 +56,70 @@ VOID ScanPageForProcessAllocations( if ( !PageBase || !PageSize ) return; - CHAR process[ 4 ] = { 'Proc' }; - - DEBUG_LOG( "1: %hhx, 2: %hhx, 3: %hhx, 5: %hhx", process[ 0 ], process[ 1 ], process[ 2 ], process[ 3 ] ); - - __debugbreak(); + CHAR process[] = "\x50\x72\x6F\x63"; + INT length = strlen( process ); + BOOLEAN found = TRUE; for ( INT offset = 0; offset < PageSize; offset++ ) { - if ( !MmIsAddressValid( PageBase + offset ) ) - continue; + for ( INT sig_index = 0; sig_index < length; sig_index++ ) + { + if ( !MmIsAddressValid( PageBase + offset + sig_index ) ) + { + found = FALSE; + break; + } - CHAR current_char = *( PCHAR )( PageBase + offset ); + //CHAR current_char = *( PCHAR )( PageBase + offset + sig_index ); + //CHAR current_sig_byte = process[ sig_index ]; + + //if ( current_char != current_sig_byte ) + //{ + // found = FALSE; + // break; + //} + } + + //if ( found ) + //{ + // PPOOL_HEADER pool_header = PageBase + offset - POOL_TAG_SIZE; + + // DEBUG_LOG( "Maybe found: %llx", ( UINT64 )pool_header ); + + // if ( pool_header->PoolType & POOL_FLAG_NON_PAGED && + // pool_header->PoolTag == 0x636f7250 ) + // { + // DEBUG_LOG( "FOUND POOL at: %llx", ( UINT64 )pool_header ); + // break; + // } + //} } } +VOID GetPhysicalMemoryRanges() +{ + physical_memory_ranges = MmGetPhysicalMemoryRanges(); +} + +BOOLEAN IsPhysicalAddressInPhysicalMemoryRange( + _In_ UINT64 PhysicalAddress, + _In_ PPHYSICAL_MEMORY_RANGE PhysicalMemoryRanges +) +{ + ULONG page_index = 0; + + while ( PhysicalMemoryRanges[ page_index ].NumberOfBytes.QuadPart != NULL ) + { + UINT64 start_address = PhysicalMemoryRanges[ page_index ].BaseAddress.QuadPart; + UINT64 end_address = start_address + PhysicalMemoryRanges[ page_index ].NumberOfBytes.QuadPart; + + if ( PhysicalAddress >= start_address && PhysicalAddress <= end_address ) + return TRUE; + } + + return FALSE; +} + /* * This is your basic page table walk function. On intel systems, paging has 4 levels, * each table holds 512 entries with a total size of 0x1000 (512 * sizeof(QWORD)). Each entry @@ -110,6 +161,24 @@ VOID WalkKernelPageTables() UINT64 base_virtual_page; PHYSICAL_ADDRESS physical; + VOID GetPhysicalMemoryRanges(); + + //if ( physical_memory_ranges == NULL ) + //{ + // DEBUG_ERROR( "Failed to get physical memory ranges" ); + // return; + //} + + PPHYSICAL_MEMORY_RANGE test = MmGetPhysicalMemoryRangesEx2( NULL, NULL ); + + if ( test == NULL ) + { + DEBUG_ERROR( "LOL stupid cunt not working" ); + return; + } + + DEBUG_LOG( "Test: %llx", ( UINT64 )test ); + cr3.BitAddress = __readcr3(); physical.QuadPart = cr3.Bits.PhysicalAddress << PAGE_4KB_SHIFT; @@ -186,6 +255,16 @@ VOID WalkKernelPageTables() base_virtual_page = MmGetVirtualForPhysical( physical ); + /* stupid fucking intellisense error GO AWAY! */ + if ( base_virtual_page == NULL || !MmIsAddressValid( base_virtual_page ) ) + continue; + + if ( base_virtual_page < 0xfffff80000000000 && base_virtual_page > 0xffffffffffffffff ) + continue; + + if ( IsPhysicalAddressInPhysicalMemoryRange( physical.QuadPart, test ) == FALSE ) + continue; + ScanPageForProcessAllocations( base_virtual_page, PAGE_BASE_SIZE ); } } diff --git a/driver/pool.h b/driver/pool.h index 5eb2d01..45c517e 100644 --- a/driver/pool.h +++ b/driver/pool.h @@ -12,6 +12,7 @@ #define PT_ENTRY_COUNT 512 #define PAGE_BASE_SIZE 0x1000 +#define POOL_TAG_SIZE 0x004 /* creds: https://www.unknowncheats.me/forum/2602838-post2.html */