Tue, Apr 14, 2020 7:17:46 PM

client/client/client/client.cpp

@@ -25,6 +25,7 @@
 #include "nt.h"
 #include "driver.h"
 #include "utils.h"
+#include "helper.h"
 
 int main()
 {
@@ -42,10 +43,6 @@ int main()
         std::cout << "[-] Driver test failed" << std::endl;
     }
 
-    uint64_t kernel_function_ptr = 0;
+    uintptr_t test = Helper::AllocatePool(nt::PagedPool, sizeof(uintptr_t));
-    uint64_t kernel_original_function_address = 0;
+    printf("%llx\n", test);
-
-    Utils::GetNtGdiDdDDIReclaimAllocations2KernelInfo(&kernel_function_ptr, &kernel_original_function_address);
-
-    printf("%llx %llx\n", kernel_function_ptr, kernel_original_function_address);
 }

client/client/client/helper.h

@@ -0,0 +1,35 @@
+#pragma once
+
+namespace Helper 
+{
+	uint64_t AllocatePool(nt::POOL_TYPE pool_type, uint64_t size)
+	{
+		if (!size)
+			return 0;
+
+		static uint64_t kernel_ExAllocatePool = 0;
+
+		if (!kernel_ExAllocatePool)
+			kernel_ExAllocatePool = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExAllocatePool");
+
+		uint64_t allocated_pool = 0;
+
+		if (!Utils::CallKernelFunction(&allocated_pool, kernel_ExAllocatePool, pool_type, size))
+			return 0;
+
+		return allocated_pool;
+	}
+
+	bool FreePool(uint64_t address)
+	{
+		if (!address)
+			return 0;
+
+		static uint64_t kernel_ExFreePool = 0;
+
+		if (!kernel_ExFreePool)
+			kernel_ExFreePool = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "ExFreePool");
+
+		return Utils::CallKernelFunction<void>(nullptr, kernel_ExFreePool, address);
+	}
+}

client/client/client/utils.h

@@ -114,7 +114,6 @@ namespace Utils
 
 			if (!kernel_NtGdiDdDDIReclaimAllocations2)
 			{
-				std::cout << "[-] Failed to get export win32kbase.NtGdiDdDDIReclaimAllocations2" << std::endl;
 				return false;
 			}
 
@@ -133,4 +132,67 @@ namespace Utils
 
 		return true;
 	}
+
+	template<typename T, typename ...A>
+	bool CallKernelFunction(T* out_result, uint64_t kernel_function_address, const A ...arguments)
+	{
+		constexpr auto call_void = std::is_same_v<T, void>;
+
+		if constexpr (!call_void)
+		{
+			if (!out_result)
+				return false;
+		}
+		else
+		{
+			UNREFERENCED_PARAMETER(out_result);
+		}
+
+		if (!kernel_function_address)
+			return false;
+
+		// Setup function call 
+
+		const auto NtGdiDdDDIReclaimAllocations2 = reinterpret_cast<void*>(GetProcAddress(LoadLibraryA("gdi32full.dll"), "NtGdiDdDDIReclaimAllocations2"));
+
+		if (!NtGdiDdDDIReclaimAllocations2)
+		{
+			std::cout << "[-] Failed to get export gdi32full.NtGdiDdDDIReclaimAllocations2" << std::endl;
+			return false;
+		}
+
+		// Get function pointer (@win32kbase!gDxgkInterface table) used by NtGdiDdDDIReclaimAllocations2 and save the original address (dxgkrnl!DxgkReclaimAllocations2)
+
+		uint64_t kernel_function_ptr = 0;
+		uint64_t kernel_original_function_address = 0;
+
+		if (!GetNtGdiDdDDIReclaimAllocations2KernelInfo(&kernel_function_ptr, &kernel_original_function_address))
+			return false;
+
+		// Overwrite the pointer with kernel_function_address
+
+		Driver::WriteMemory(kernel_function_ptr, &kernel_function_address, sizeof(kernel_function_address));
+
+		// Call function 
+
+		if constexpr (!call_void)
+		{
+			using FunctionFn = T(__stdcall*)(A...);
+			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
+
+			*out_result = Function(arguments...);
+		}
+		else
+		{
+			using FunctionFn = void(__stdcall*)(A...);
+			const auto Function = static_cast<FunctionFn>(NtGdiDdDDIReclaimAllocations2);
+
+			Function(arguments...);
+		}
+
+		// Restore the pointer
+
+		Driver::WriteMemory(kernel_function_ptr, &kernel_original_function_address, sizeof(kernel_original_function_address));
+		return true;
+	}
 }