Add fixed)
This commit is contained in:
Josh Peedimaa
@@ -80,6 +80,12 @@ struct DataToWrite
|
||||
|
||||
int main(const int argc, char** argv)
|
||||
{
|
||||
device_handle = intel_driver::Load();
|
||||
|
||||
|
||||
intel_driver::Unload(device_handle);
|
||||
return 0;
|
||||
|
||||
if (argc < 4)
|
||||
{
|
||||
cout << "[-]Invalid Command" << endl;
|
||||
@@ -189,15 +195,15 @@ int main(const int argc, char** argv)
|
||||
|
||||
//Initialize physical memory
|
||||
|
||||
device_handle = intel_driver::Load();
|
||||
//device_handle = intel_driver::Load();
|
||||
|
||||
if (!device_handle)
|
||||
throw exception("[-]Couldn't load driver");
|
||||
//if (!device_handle)
|
||||
// throw exception("[-]Couldn't load driver");
|
||||
|
||||
if (!intel_driver::WriteToReadOnlyMemory(device_handle, (uint64_t)RWX_Secion_Address, &DATA, sizeof(DATA)))
|
||||
throw exception("[-]Cloudn't write memroy");
|
||||
//if (!intel_driver::WriteToReadOnlyMemory(device_handle, (uint64_t)RWX_Secion_Address, &DATA, sizeof(DATA)))
|
||||
// throw exception("[-]Cloudn't write memroy");
|
||||
|
||||
intel_driver::Unload(device_handle);
|
||||
//intel_driver::Unload(device_handle);
|
||||
|
||||
VirtualUnlock(RWX_Secion_Address, sizeof(DATA));
|
||||
|
||||
|
||||
@@ -414,11 +414,88 @@ bool LocatePiDDB(HANDLE device_handle, uint64_t* lock, uint64_t* table) {
|
||||
return true;
|
||||
}
|
||||
|
||||
typedef struct _RTL_BALANCED_LINKS {
|
||||
struct _RTL_BALANCED_LINKS *Parent;
|
||||
struct _RTL_BALANCED_LINKS *LeftChild;
|
||||
struct _RTL_BALANCED_LINKS *RightChild;
|
||||
CHAR Balance;
|
||||
UCHAR Reserved[3];
|
||||
} RTL_BALANCED_LINKS;
|
||||
typedef RTL_BALANCED_LINKS *PRTL_BALANCED_LINKS;
|
||||
|
||||
|
||||
//
|
||||
// To use the generic table package the user declares a variable of type
|
||||
// GENERIC_TABLE and then uses the routines described below to initialize
|
||||
// the table and to manipulate the table. Note that the generic table
|
||||
// should really be an opaque type.
|
||||
//
|
||||
|
||||
typedef struct _RTL_AVL_TABLE {
|
||||
RTL_BALANCED_LINKS BalancedRoot;
|
||||
PVOID OrderedPointer;
|
||||
ULONG WhichOrderedElement;
|
||||
ULONG NumberGenericTableElements;
|
||||
ULONG DepthOfTree;
|
||||
PRTL_BALANCED_LINKS RestartKey;
|
||||
ULONG DeleteCount;
|
||||
PVOID CompareRoutine;
|
||||
PVOID AllocateRoutine;
|
||||
PVOID FreeRoutine;
|
||||
PVOID TableContext;
|
||||
} RTL_AVL_TABLE;
|
||||
typedef RTL_AVL_TABLE *PRTL_AVL_TABLE;
|
||||
|
||||
bool intel_driver::DumpPiDDBCacheTable(HANDLE device_handle, uint64_t piddb_cache_table) {
|
||||
uint64_t right_child;
|
||||
if (!ReadMemory(device_handle, piddb_cache_table + 0x10, &right_child, sizeof(PVOID))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
auto entry = right_child + sizeof(RTL_BALANCED_LINKS);
|
||||
|
||||
uint64_t first_entry;
|
||||
if (!ReadMemory(device_handle, entry, &first_entry, sizeof(PVOID))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
uint64_t last_entry;
|
||||
if (!ReadMemory(device_handle, entry + sizeof(PVOID), &last_entry, sizeof(PVOID))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (auto link = first_entry; link != last_entry;) {
|
||||
UNICODE_STRING driver_name;
|
||||
if (!ReadMemory(device_handle, link + offsetof(nt::PiDDBCacheEntry, DriverName), &driver_name, sizeof(driver_name))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
std::wstring string;
|
||||
string.resize(driver_name.Length);
|
||||
if (!ReadMemory(device_handle, (uint64_t)driver_name.Buffer, string.data(), driver_name.Length)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
std::wcout << L"madafakaa: " << string << L"\n";
|
||||
|
||||
if (!ReadMemory(device_handle, link, &link, sizeof(PVOID))) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
|
||||
uint64_t piddb_lock;
|
||||
uint64_t piddb_cache_table;
|
||||
if (!LocatePiDDB(device_handle, &piddb_lock, &piddb_cache_table))
|
||||
if (!LocatePiDDB(device_handle, &piddb_lock, &piddb_cache_table)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!DumpPiDDBCacheTable(device_handle, piddb_cache_table)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// build lookup entry
|
||||
nt::PiDDBCacheEntry lookup_entry{};
|
||||
@@ -429,20 +506,21 @@ bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
|
||||
if (!ExAcquireResourceExclusiveLite(device_handle, piddb_lock, TRUE))
|
||||
return false;
|
||||
|
||||
auto found_entry = (nt::PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(device_handle, piddb_cache_table, &lookup_entry);
|
||||
auto found_entry = RtlLookupElementGenericTableAvl(device_handle, piddb_cache_table, &lookup_entry);
|
||||
if (!found_entry) {
|
||||
ExReleaseResourceLite(device_handle, piddb_lock);
|
||||
return false;
|
||||
}
|
||||
|
||||
// remove the entry from the list
|
||||
if (!RemoveEntryList(device_handle, &found_entry->List)) {
|
||||
|
||||
if (!RemoveEntryListXD(device_handle, (PLIST_ENTRY)found_entry)) {
|
||||
ExReleaseResourceLite(device_handle, piddb_lock);
|
||||
return false;
|
||||
}
|
||||
|
||||
// remove the entry from the table
|
||||
if (!RtlDeleteElementGenericTableAvl(device_handle, piddb_cache_table, &found_entry)) {
|
||||
if (!RtlDeleteElementGenericTableAvl(device_handle, piddb_cache_table, found_entry)) {
|
||||
ExReleaseResourceLite(device_handle, piddb_lock);
|
||||
return false;
|
||||
}
|
||||
@@ -450,6 +528,10 @@ bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) {
|
||||
// unlock the table
|
||||
ExReleaseResourceLite(device_handle, piddb_lock);
|
||||
|
||||
if (!DumpPiDDBCacheTable(device_handle, piddb_cache_table)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -520,7 +602,7 @@ void intel_driver::ExReleaseResourceLite(HANDLE device_handle, uint64_t resource
|
||||
CallKernelFunction<void>(device_handle, nullptr, kernel_ExReleaseResourceLite, resource);
|
||||
}
|
||||
|
||||
bool intel_driver::RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry)
|
||||
bool intel_driver::RemoveEntryListXD(HANDLE device_handle, PLIST_ENTRY Entry)
|
||||
{
|
||||
constexpr auto flink_offset = offsetof(LIST_ENTRY, Flink);
|
||||
constexpr auto blink_offset = offsetof(LIST_ENTRY, Blink);
|
||||
|
||||
@@ -78,13 +78,14 @@ namespace intel_driver
|
||||
bool GetNtGdiDdDDIReclaimAllocations2KernelInfo(HANDLE device_handle, uint64_t* out_kernel_function_ptr, uint64_t* out_kernel_original_function_address);
|
||||
bool ClearMmUnloadedDrivers(HANDLE device_handle);
|
||||
bool ClearPiDDBCacheTable(HANDLE device_handle);
|
||||
bool DumpPiDDBCacheTable(HANDLE device_handle, uint64_t piddb_cache_table);
|
||||
|
||||
void* RtlLookupElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
|
||||
bool RtlDeleteElementGenericTableAvl(HANDLE device_handle, uint64_t table, void* buffer);
|
||||
bool ExAcquireResourceExclusiveLite(HANDLE device_handle, uint64_t resource, BOOLEAN wait);
|
||||
void ExReleaseResourceLite(HANDLE device_handle, uint64_t resource);
|
||||
|
||||
bool RemoveEntryList(HANDLE device_handle, PLIST_ENTRY Entry);
|
||||
bool RemoveEntryListXD(HANDLE device_handle, PLIST_ENTRY Entry);
|
||||
|
||||
template<typename T, typename ...A>
|
||||
bool CallKernelFunction(HANDLE device_handle, T* out_result, uint64_t kernel_function_address, const A ...arguments)
|
||||
|
||||
Reference in New Issue
Block a user