Created
December 21, 2023 18:11
-
-
Save blair1922/d0c7bfef1537ebee2d42b9ca7856d746 to your computer and use it in GitHub Desktop.
WeBreakVM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// We Break VM (ring3) | |
NTSTATUS FilterMachineCallbacks( ) | |
{ | |
PTP_CALLBACK_INSTANCE CallInst; | |
PULONG_PTR PageNum, Pages; | |
DisassociateCurrentThreadFromCallback( CallInst ); | |
if ( AllocateUserPhysicalPages( GetCurrentProcess( ), PageNum, Pages ) ) | |
{ | |
if ( Pages[ 8771 ] == NVMeDataTypeLogPage ) // Always NVMe data type on real NVMe drivers and not VM drives. All systems. | |
{ | |
return STATUS_SUCCESS; | |
} | |
for ( int i = 0; i <= 0x1337; i++ ) // Timing attack on mapped physical pages. VirtualBox & VMWare remaps after too many user pages are mapped at once | |
{ | |
if ( IsValidCodePage( Pages[ i ] ) ) | |
{ | |
MapUserPhysicalPages( PVOID( Pages[ i ] ), ULONG_PTR( PageNum ), Pages ); | |
} | |
} | |
Sleep( 200 ); | |
if ( IsValidCodePage( Pages[ 1 ] ) ) | |
return STATUS_SUCCESS; | |
} | |
return TRUE; // != STATUS_SUCCESS(0x0) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment