admin/efi-memory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tue, Apr 14, 2020 8:32:26 PM

Browse Source
This commit is contained in:
Samuel Tulach
2020-04-14 20:32:26 +02:00
parent a4f4e7b654
commit da652648b5
3 changed files with 36 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
client/client/client/client.cpp
View File

@@ -29,6 +29,7 @@
#include "helper.h"
#define EXPLORER_EXE L"explorer.exe"
#define PRINT_HEX(x) std::hex << std::setw(8) << std::setfill('0') << std::uppercase << x << std::nouppercase << std::dec
int main()
{
@@ -55,6 +56,7 @@ int main()
std::cout << "[-] Failed to get current process" << std::endl;
return -1;
}
std::cout << "[+] Current PEPROCESS 0x" << PRINT_HEX(current) << std::endl;
std::cout << "[>] Getting explorer.exe PEPROCESS..." << std::endl;
int pid = Utils::Find(EXPLORER_EXE);
@@ -71,21 +73,25 @@ int main()
std::cout << "[-] Failed to get explorer.exe PEPROCESS" << std::endl;
return -1;
}
std::cout << "[+] Target PEPROCESS 0x" << PRINT_HEX(explorer) << std::endl;
std::cout << "[>] Reading DOS header..." << std::endl;
uintptr_t baseaddress = Utils::GetModuleBaseAddress(pid, EXPLORER_EXE);
if (!baseaddress)
std::cout << "[>] Getting process base..." << std::endl;
uintptr_t baseaddress = Helper::GetSectionBase(explorer);
if (!baseaddress)
{
std::cout << "[-] Failed to get explorer.exe base address" << std::endl;
std::cout << "[-] Failed to get base address" << std::endl;
return -1;
}
IMAGE_DOS_HEADER header = { 0 };
std::cout << "[+] Explorer.exe base 0x" << PRINT_HEX(baseaddress) << std::endl;
std::cout << "[>] Reading DOS header..." << std::endl;
IMAGE_DOS_HEADER* header = new IMAGE_DOS_HEADER;
SIZE_T retsize = 0;
NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)&header, sizeof(IMAGE_DOS_HEADER), 0, &retsize);
NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)header, sizeof(IMAGE_DOS_HEADER), 0, &retsize);
std::cout << "[+] Test read:" << std::endl;
std::cout << "\tStatus: " << std::hex << std::setw(8) << std::setfill('0') << std::uppercase << copystatus << std::nouppercase << std::dec << std::endl;
std::cout << "\tDOS magic: " << header.e_magic << std::endl;
std::cout << "\tNT offset: " << header.e_lfanew << std::endl;
std::cout << "\tStatus: 0x" << PRINT_HEX(copystatus) << std::endl;
std::cout << "\tRead: 0x" << PRINT_HEX(retsize) << std::endl;
std::cout << "\tDOS magic: 0x" << PRINT_HEX(header->e_magic) << std::endl;
std::cout << "\tNT offset: 0x" << PRINT_HEX(header->e_lfanew) << std::endl;
}

21
client/client/client/helper.h
View File

@@ -63,7 +63,26 @@ namespace Helper
return status;
}
NTSTATUS CopyVirtualMemory(uintptr_t sourceprocess,
uint64_t GetSectionBase(uintptr_t peprocess)
{
if (!peprocess)
return 0;
static uint64_t kernel_PsGetProcessSectionBaseAddress = 0;
if (!kernel_PsGetProcessSectionBaseAddress)
kernel_PsGetProcessSectionBaseAddress = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "PsGetProcessSectionBaseAddress");
uint64_t baseaddr = 0;
if (!Utils::CallKernelFunction(&baseaddr, kernel_PsGetProcessSectionBaseAddress, peprocess))
return 0;
return baseaddr;
}
NTSTATUS CopyVirtualMemory(
uintptr_t sourceprocess,
uintptr_t sourceaddress,
uintptr_t destinationprocess,
uintptr_t destinationaddress,

24
client/client/client/utils.h
View File

@@ -18,30 +18,6 @@ namespace Utils
CloseHandle(snapshot);
return 0;
}
uint64_t GetModuleBaseAddress(uint32_t procId, const wchar_t* modName)
{
uintptr_t modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}
uint64_t GetKernelModuleAddress(const std::string& module_name)
{