From a2641bfa11fab74e03a5db57fb5cd366d8947766 Mon Sep 17 00:00:00 2001
From: Samuel Tulach <samtulach@gmail.com>
Date: Tue, 14 Apr 2020 19:17:46 +0200
Subject: [PATCH] Tue, Apr 14, 2020  7:17:46 PM

---
 client/client/client/client.cpp |  9 ++---
 client/client/client/helper.h   | 35 ++++++++++++++++++
 client/client/client/utils.h    | 64 ++++++++++++++++++++++++++++++++-
 3 files changed, 101 insertions(+), 7 deletions(-)
 create mode 100644 client/client/client/helper.h

diff --git a/client/client/client/client.cpp b/client/client/client/client.cpp
index 2414ad0..ea09d98 100644
--- a/client/client/client/client.cpp
+++ b/client/client/client/client.cpp
@@ -25,6 +25,7 @@
 #include "nt.h"
 #include "driver.h"
 #include "utils.h"
+#include "helper.h"
 
 int main()
 {
@@ -42,10 +43,6 @@ int main()
         std::cout << "[-] Driver test failed" << std::endl;
     }
 
-    uint64_t kernel_function_ptr = 0;
-    uint64_t kernel_original_function_address = 0;
-
-    Utils::GetNtGdiDdDDIReclaimAllocations2KernelInfo(&kernel_function_ptr, &kernel_original_function_address);
-
-    printf("%llx %llx\n", kernel_function_ptr, kernel_original_function_address);
+    uintptr_t test = Helper::AllocatePool(nt::PagedPool, sizeof(uintptr_t));
+    printf("%llx\n", test);
 }
diff --git a/client/client/client/helper.h b/client/client/client/helper.h
new file mode 100644
index 0000000..7d73c5a
--- /dev/null
+++ b/client/client/client/helper.h
@@ -0,0 +1,35 @@
+#pragma once
+
+namespace Helper 
+{
+	uint64_t AllocatePool(nt::POOL_TYPE pool_type, uint64_t size)
+	{
+		if (!size)
+			return 0;
+
+		static uint64_t kernel_ExAllocatePool = 0;
+
+		if (!kernel_ExAllocatePool)
+			kernel_ExAllocatePool = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExAllocatePool");
+
+		uint64_t allocated_pool = 0;
+
+		if (!Utils::CallKernelFunction(&allocated_pool, kernel_ExAllocatePool, pool_type, size))
+			return 0;
+
+		return allocated_pool;
+	}
+
+	bool FreePool(uint64_t address)
+	{
+		if (!address)
+			return 0;
+
+		static uint64_t kernel_ExFreePool = 0;
+
+		if (!kernel_ExFreePool)
+			kernel_ExFreePool = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExFreePool");
+
+		return Utils::CallKernelFunction<void>(nullptr, kernel_ExFreePool, address);
+	}
+}
\ No newline at end of file
diff --git a/client/client/client/utils.h b/client/client/client/utils.h
index 4cd8998..9d43112 100644
--- a/client/client/client/utils.h
+++ b/client/client/client/utils.h
@@ -114,7 +114,6 @@ namespace Utils
 
 			if (!kernel_NtGdiDdDDIReclaimAllocations2)
 			{
-				std::cout << "[-] Failed to get export win32kbase.NtGdiDdDDIReclaimAllocations2" << std::endl;
 				return false;
 			}
 
@@ -133,4 +132,67 @@ namespace Utils
 
 		return true;
 	}
+
+	template<typename T, typename ...A>
+	bool CallKernelFunction(T* out_result, uint64_t kernel_function_address, const A ...arguments)
+	{
+		constexpr auto call_void = std::is_same_v<T, void>;
+
+		if constexpr (!call_void)
+		{
+			if (!out_result)
+				return false;
+		}
+		else
+		{
+			UNREFERENCED_PARAMETER(out_result);
+		}
+
+		if (!kernel_function_address)
+			return false;
+
+		// Setup function call 
+
+		const auto NtGdiDdDDIReclaimAllocations2 = reinterpret_cast<void*>(GetProcAddress(LoadLibraryA("gdi32full.dll"), "NtGdiDdDDIReclaimAllocations2"));
+
+		if (!NtGdiDdDDIReclaimAllocations2)
+		{
+			std::cout << "[-] Failed to get export gdi32full.NtGdiDdDDIReclaimAllocations2" << std::endl;
+			return false;
+		}
+
+		// Get function pointer (@win32kbase!gDxgkInterface table) used by NtGdiDdDDIReclaimAllocations2 and save the original address (dxgkrnl!DxgkReclaimAllocations2)
+
+		uint64_t kernel_function_ptr = 0;
+		uint64_t kernel_original_function_address = 0;
+
+		if (!GetNtGdiDdDDIReclaimAllocations2KernelInfo(&kernel_function_ptr, &kernel_original_function_address))
+			return false;
+
+		// Overwrite the pointer with kernel_function_address
+
+		Driver::WriteMemory(kernel_function_ptr, &kernel_function_address, sizeof(kernel_function_address));
+
+		// Call function 
+
+		if constexpr (!call_void)
+		{
+			using FunctionFn = T(__stdcall*)(A...);
+			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
+
+			*out_result = Function(arguments...);
+		}
+		else
+		{
+			using FunctionFn = void(__stdcall*)(A...);
+			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
+
+			Function(arguments...);
+		}
+
+		// Restore the pointer
+
+		Driver::WriteMemory(kernel_function_ptr, &kernel_original_function_address, sizeof(kernel_original_function_address));
+		return true;
+	}
 }
\ No newline at end of file