diff --git a/src/driver/ept.cpp b/src/driver/ept.cpp index 66c38ef..eea1fb4 100644 --- a/src/driver/ept.cpp +++ b/src/driver/ept.cpp @@ -135,7 +135,7 @@ namespace vmx memcpy(hook->fake_page + page_offset, source, length); } - void ept::install_hook(void* destination, const void* source, const size_t length) + void ept::install_hook(const void* destination, const void* source, const size_t length) { auto current_destination = reinterpret_cast(destination); auto current_source = reinterpret_cast(source); diff --git a/src/driver/ept.hpp b/src/driver/ept.hpp index 3e91c6f..fbf0aa2 100644 --- a/src/driver/ept.hpp +++ b/src/driver/ept.hpp @@ -53,7 +53,7 @@ namespace vmx void initialize(); - void install_hook(void* destination, const void* source, size_t length); + void install_hook(const void* destination, const void* source, size_t length); void disable_all_hooks() const; void handle_violation(guest_context& guest_context) const; diff --git a/src/driver/hypervisor.cpp b/src/driver/hypervisor.cpp index c49e7d6..a58d83d 100644 --- a/src/driver/hypervisor.cpp +++ b/src/driver/hypervisor.cpp @@ -159,7 +159,7 @@ bool hypervisor::is_enabled() const return is_hypervisor_present(); } -bool hypervisor::install_ept_hook(void* destination, const void* source, const size_t length) +bool hypervisor::install_ept_hook(const void* destination, const void* source, const size_t length) { volatile long failures = 0; thread::dispatch_on_all_cores([&]() @@ -1005,7 +1005,7 @@ void hypervisor::free_vm_states() this->vm_state_count_ = 0; } -bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* source, const size_t length) +bool hypervisor::try_install_ept_hook_on_core(const void* destination, const void* source, const size_t length) { try { @@ -1024,7 +1024,7 @@ bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* sou } } -void hypervisor::install_ept_hook_on_core(void* destination, const void* source, const size_t length) +void hypervisor::install_ept_hook_on_core(const void* destination, const void* source, const size_t length) { auto* vm_state = this->get_current_vm_state(); if (!vm_state) diff --git a/src/driver/hypervisor.hpp b/src/driver/hypervisor.hpp index 589c3b0..08973a5 100644 --- a/src/driver/hypervisor.hpp +++ b/src/driver/hypervisor.hpp @@ -19,7 +19,7 @@ public: bool is_enabled() const; - bool install_ept_hook(void* destination, const void* source, size_t length); + bool install_ept_hook(const void* destination, const void* source, size_t length); void disable_all_ept_hooks() const; static hypervisor* get_instance(); @@ -35,8 +35,8 @@ private: void allocate_vm_states(); void free_vm_states(); - bool try_install_ept_hook_on_core(void* destination, const void* source, size_t length); - void install_ept_hook_on_core(void* destination, const void* source, size_t length); + bool try_install_ept_hook_on_core(const void* destination, const void* source, size_t length); + void install_ept_hook_on_core(const void* destination, const void* source, size_t length); vmx::state* get_current_vm_state() const; }; diff --git a/src/driver/irp.cpp b/src/driver/irp.cpp index 66911f0..b285d38 100644 --- a/src/driver/irp.cpp +++ b/src/driver/irp.cpp @@ -8,6 +8,8 @@ #include #include "process.hpp" +#include "thread.hpp" +#include "hypervisor.hpp" namespace { @@ -38,27 +40,55 @@ namespace // TODO: This is vulnerable as fuck. Optimize! void apply_hook(hook_request* request) { - const auto address = reinterpret_cast(request->target_address); - const auto aligned_address = address & (PAGE_SIZE - 1); - const auto offset = address - aligned_address; - - debug_log("Pid: %d | Address: %p\n", request->process_id, request->target_address); - - const auto process_handle = process::find_process_by_id(request->process_id); - if (!process_handle || !process_handle.is_alive()) + thread::kernel_thread t([r = *request]() { - debug_log("Bad process\n"); - return; - } + debug_log("Pid: %d | Address: %p\n", r.process_id, r.target_address); - const auto name = process_handle.get_image_filename(); - if (name) - { - debug_log("Attaching to %s\n", name); - } + const auto process_handle = process::find_process_by_id(r.process_id); + if (!process_handle || !process_handle.is_alive()) + { + debug_log("Bad process\n"); + return; + } - //process::scoped_process_attacher attacher{process_handle}; - //debug_log("Original: %s\n", request->target_address); + const auto name = process_handle.get_image_filename(); + if (name) + { + debug_log("Attaching to %s\n", name); + } + + debug_log("Level: %d\n", static_cast(KeGetCurrentIrql())); + + /* + auto buffer = new uint8_t[r.source_data_size]; + if (!buffer) + { + debug_log("Failed to allocate buffer\n"); + return; + } + + auto destructor = utils::finally([buffer]() + { + delete[] buffer; + }); + + memcpy(buffer, r.source_data, r.source_data_size); + */ + + process::scoped_process_attacher attacher{process_handle}; + + debug_log("Original: %p\n", r.target_address); + + uint8_t buffer = 0xEB; + + //hypervisor::get_instance()->install_ept_hook(r.target_address, buffer, r.source_data_size); + hypervisor::get_instance()->install_ept_hook(r.target_address, &buffer, 1); + + debug_log("Done1\n"); + }); + + t.join(); + debug_log("Done\n"); } _Function_class_(DRIVER_DISPATCH) NTSTATUS io_ctl_handler( @@ -81,6 +111,7 @@ namespace debug_log("Hello from the Driver!\n"); break; case HOOK_DRV_IOCTL: + apply_hook(static_cast(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer)); break; default: diff --git a/src/runner/main.cpp b/src/runner/main.cpp index e2ea57a..8ad51cf 100644 --- a/src/runner/main.cpp +++ b/src/runner/main.cpp @@ -66,7 +66,13 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[]) hook_request hook_request{}; hook_request.process_id = _pid; //GetCurrentProcessId(); - hook_request.target_address = (void*)0x1401644A8; //"My Message!"; + hook_request.target_address = (void*)0x14007DCF7; //"My Message!"; + + uint8_t buffer[1]; + buffer[0] = 0xEB; + + hook_request.source_data = buffer; + hook_request.source_data_size = 1; input.assign(reinterpret_cast(&hook_request), reinterpret_cast(&hook_request) + sizeof(hook_request));