From dbb3cfd1dc237e24239e10b7d75149f1753cf7e7 Mon Sep 17 00:00:00 2001
From: Josh Peedimaa <martenpeedimaa@hotmail.com>
Date: Mon, 28 Oct 2019 19:04:04 +0200
Subject: [PATCH] Add fixed)

---
 swhinjector/src/Main.cpp         | 18 ++++---
 swhinjector/src/intel_driver.cpp | 92 ++++++++++++++++++++++++++++++--
 swhinjector/src/intel_driver.hpp |  3 +-
 3 files changed, 101 insertions(+), 12 deletions(-)

diff --git a/swhinjector/src/Main.cpp b/swhinjector/src/Main.cpp
index 85164da..461ae77 100644
--- a/swhinjector/src/Main.cpp
+++ b/swhinjector/src/Main.cpp
@@ -80,6 +80,12 @@ struct DataToWrite
 
 int main(const int argc, char** argv)
 {
+		device_handle = intel_driver::Load();
+
+
+		intel_driver::Unload(device_handle);
+		return 0;
+	
 	if (argc < 4)
 	{
 		cout << "[-]Invalid Command" << endl;
@@ -189,15 +195,15 @@ int main(const int argc, char** argv)
 
 		//Initialize physical memory
 
-		device_handle = intel_driver::Load();
+		//device_handle = intel_driver::Load();
 
-		if (!device_handle)
-			throw exception("[-]Couldn't load driver");
+		//if (!device_handle)
+		//	throw exception("[-]Couldn't load driver");
 
-		if (!intel_driver::WriteToReadOnlyMemory(device_handle, (uint64_t)RWX_Secion_Address, &DATA, sizeof(DATA)))
-			throw exception("[-]Cloudn't write memroy");
+		//if (!intel_driver::WriteToReadOnlyMemory(device_handle, (uint64_t)RWX_Secion_Address, &DATA, sizeof(DATA)))
+		//	throw exception("[-]Cloudn't write memroy");
 
-		intel_driver::Unload(device_handle);
+		//intel_driver::Unload(device_handle);
 
 		VirtualUnlock(RWX_Secion_Address, sizeof(DATA));
 
diff --git a/swhinjector/src/intel_driver.cpp b/swhinjector/src/intel_driver.cpp
index 3521061..690fa8e 100644
--- a/swhinjector/src/intel_driver.cpp
+++ b/swhinjector/src/intel_driver.cpp
@@ -414,11 +414,88 @@ bool LocatePiDDB(HANDLE device_handle, uint64_t* lock, uint64_t* table) {
 	return true;
 }
 
+typedef struct _RTL_BALANCED_LINKS {
+    struct _RTL_BALANCED_LINKS *Parent;
+    struct _RTL_BALANCED_LINKS *LeftChild;
+    struct _RTL_BALANCED_LINKS *RightChild;
+    CHAR Balance;
+    UCHAR Reserved[3];
+} RTL_BALANCED_LINKS;
+typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS;
+
+
+//
+//  To use the generic table package the user declares a variable of type
+//  GENERIC_TABLE and then uses the routines described below to initialize
+//  the table and to manipulate the table.  Note that the generic table
+//  should really be an opaque type.
+//
+
+typedef struct _RTL_AVL_TABLE {
+    RTL_BALANCED_LINKS BalancedRoot;
+    PVOID OrderedPointer;
+    ULONG WhichOrderedElement;
+    ULONG NumberGenericTableElements;
+    ULONG DepthOfTree;
+    PRTL_BALANCED_LINKS RestartKey;
+    ULONG DeleteCount;
+    PVOID CompareRoutine;
+    PVOID AllocateRoutine;
+    PVOID FreeRoutine;
+    PVOID TableContext;
+} RTL_AVL_TABLE;
+typedef RTL_AVL_TABLE *PRTL_AVL_TABLE;
+
+bool intel_driver::DumpPiDDBCacheTable(HANDLE device_handle, uint64_t piddb_cache_table) {
+	uint64_t right_child;
+	if (!ReadMemory(device_handle, piddb_cache_table + 0x10, &right_child, sizeof(PVOID))) {
+		return false;
+	}
+
+	auto entry = right_child + sizeof(RTL_BALANCED_LINKS);
+
+	uint64_t first_entry;
+	if (!ReadMemory(device_handle, entry, &first_entry, sizeof(PVOID))) {
+		return false;
+	}
+
+	uint64_t last_entry;
+	if (!ReadMemory(device_handle, entry + sizeof(PVOID), &last_entry, sizeof(PVOID))) {
+		return false;
+	}
+
+	for (auto link = first_entry; link != last_entry;) {
+		UNICODE_STRING driver_name;
+		if (!ReadMemory(device_handle, link + offsetof(nt::PiDDBCacheEntry, DriverName), &driver_name, sizeof(driver_name))) {
+			return false;
+		}
+
+		std::wstring string;
+		string.resize(driver_name.Length);
+		if (!ReadMemory(device_handle, (uint64_t)driver_name.Buffer, string.data(), driver_name.Length)) {
+			return false;
+		}
+
+		std::wcout << L"madafakaa: " << string << L"\n";
+
+		if (!ReadMemory(device_handle, link, &link, sizeof(PVOID))) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
 bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
 	uint64_t piddb_lock;
 	uint64_t piddb_cache_table;
-	if (!LocatePiDDB(device_handle, &piddb_lock, &piddb_cache_table))
+	if (!LocatePiDDB(device_handle, &piddb_lock, &piddb_cache_table)) {
 		return false;
+	}
+
+	if (!DumpPiDDBCacheTable(device_handle, piddb_cache_table)) {
+		return false;
+	}
 
 	// build lookup entry
 	nt::PiDDBCacheEntry lookup_entry{};
@@ -429,20 +506,21 @@ bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
 	if (!ExAcquireResourceExclusiveLite(device_handle, piddb_lock, TRUE))
 		return false;
 
-	auto found_entry = (nt::PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(device_handle, piddb_cache_table, &lookup_entry);
+	auto found_entry = RtlLookupElementGenericTableAvl(device_handle, piddb_cache_table, &lookup_entry);
 	if (!found_entry) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
 
 	// remove the entry from the list
-	if (!RemoveEntryList(device_handle, &found_entry->List)) {
+
+	if (!RemoveEntryListXD(device_handle, (PLIST_ENTRY)found_entry)) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
 
 	// remove the entry from the table
-	if (!RtlDeleteElementGenericTableAvl(device_handle, piddb_cache_table, &found_entry)) {
+	if (!RtlDeleteElementGenericTableAvl(device_handle, piddb_cache_table, found_entry)) {
 		ExReleaseResourceLite(device_handle, piddb_lock);
 		return false;
 	}
@@ -450,6 +528,10 @@ bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
 	// unlock the table
 	ExReleaseResourceLite(device_handle, piddb_lock);
 
+	if (!DumpPiDDBCacheTable(device_handle, piddb_cache_table)) {
+		return false;
+	}
+
 	return true;
 }
 
@@ -520,7 +602,7 @@ void intel_driver::ExReleaseResourceLite(HANDLE device_handle, uint64_t resource
 	CallKernelFunction<void>(device_handle, nullptr, kernel_ExReleaseResourceLite, resource);
 }
 
-bool intel_driver::RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry)
+bool intel_driver::RemoveEntryListXD(HANDLE device_handle, PLIST_ENTRY Entry)
 {
 	constexpr auto flink_offset = offsetof(LIST_ENTRY, Flink);
 	constexpr auto blink_offset = offsetof(LIST_ENTRY, Blink);
diff --git a/swhinjector/src/intel_driver.hpp b/swhinjector/src/intel_driver.hpp
index ff830da..7546508 100644
--- a/swhinjector/src/intel_driver.hpp
+++ b/swhinjector/src/intel_driver.hpp
@@ -78,13 +78,14 @@ namespace intel_driver
 	bool GetNtGdiDdDDIReclaimAllocations2KernelInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint64_t* out_kernel_original_function_address);
 	bool ClearMmUnloadedDrivers(HANDLE device_handle);
 	bool ClearPiDDBCacheTable(HANDLE device_handle);
+	bool DumpPiDDBCacheTable(HANDLE device_handle, uint64_t piddb_cache_table);
 
 	void* RtlLookupElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
 	bool RtlDeleteElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
 	bool ExAcquireResourceExclusiveLite(HANDLE device_handle, uint64_t resource, BOOLEAN wait);
 	void ExReleaseResourceLite(HANDLE device_handle, uint64_t resource);
 
-	bool RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry);
+	bool RemoveEntryListXD(HANDLE device_handle, PLIST_ENTRY Entry);
 
 	template<typename T, typename ...A>
 	bool CallKernelFunction(HANDLE device_handle, T* out_result, uint64_t kernel_function_address, const A ...arguments)