Hook tests

src/driver/ept.cpp

@@ -135,7 +135,7 @@ namespace vmx
 		memcpy(hook->fake_page + page_offset, source, length);
 	}
 
-	void ept::install_hook(void* destination, const void* source, const size_t length)
+	void ept::install_hook(const void* destination, const void* source, const size_t length)
 	{
 		auto current_destination = reinterpret_cast<uint64_t>(destination);
 		auto current_source = reinterpret_cast<uint64_t>(source);

src/driver/ept.hpp

@@ -53,7 +53,7 @@ namespace vmx
 
 		void initialize();
 
-		void install_hook(void* destination, const void* source, size_t length);
+		void install_hook(const void* destination, const void* source, size_t length);
 		void disable_all_hooks() const;
 
 		void handle_violation(guest_context& guest_context) const;

src/driver/hypervisor.cpp

@@ -159,7 +159,7 @@ bool hypervisor::is_enabled() const
 	return is_hypervisor_present();
 }
 
-bool hypervisor::install_ept_hook(void* destination, const void* source, const size_t length)
+bool hypervisor::install_ept_hook(const void* destination, const void* source, const size_t length)
 {
 	volatile long failures = 0;
 	thread::dispatch_on_all_cores([&]()
@@ -1005,7 +1005,7 @@ void hypervisor::free_vm_states()
 	this->vm_state_count_ = 0;
 }
 
-bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* source, const size_t length)
+bool hypervisor::try_install_ept_hook_on_core(const void* destination, const void* source, const size_t length)
 {
 	try
 	{
@@ -1024,7 +1024,7 @@ bool hypervisor::try_install_ept_hook_on_core(void* destination, const void* sou
 	}
 }
 
-void hypervisor::install_ept_hook_on_core(void* destination, const void* source, const size_t length)
+void hypervisor::install_ept_hook_on_core(const void* destination, const void* source, const size_t length)
 {
 	auto* vm_state = this->get_current_vm_state();
 	if (!vm_state)

src/driver/hypervisor.hpp

@@ -19,7 +19,7 @@ public:
 
 	bool is_enabled() const;
 
-	bool install_ept_hook(void* destination, const void* source, size_t length);
+	bool install_ept_hook(const void* destination, const void* source, size_t length);
 	void disable_all_ept_hooks() const;
 
 	static hypervisor* get_instance();
@@ -35,8 +35,8 @@ private:
 	void allocate_vm_states();
 	void free_vm_states();
 
-	bool try_install_ept_hook_on_core(void* destination, const void* source, size_t length);
+	bool try_install_ept_hook_on_core(const void* destination, const void* source, size_t length);
-	void install_ept_hook_on_core(void* destination, const void* source, size_t length);
+	void install_ept_hook_on_core(const void* destination, const void* source, size_t length);
 
 	vmx::state* get_current_vm_state() const;
 };

src/driver/irp.cpp

@@ -8,6 +8,8 @@
 #include <irp_data.hpp>
 
 #include "process.hpp"
+#include "thread.hpp"
+#include "hypervisor.hpp"
 
 namespace
 {
@@ -38,27 +40,55 @@ namespace
 	// TODO: This is vulnerable as fuck. Optimize!
 	void apply_hook(hook_request* request)
 	{
-		const auto address = reinterpret_cast<uint64_t>(request->target_address);
+		thread::kernel_thread t([r = *request]()
-		const auto aligned_address = address & (PAGE_SIZE - 1);
-		const auto offset = address - aligned_address;
-
-		debug_log("Pid: %d | Address: %p\n", request->process_id, request->target_address);
-
-		const auto process_handle = process::find_process_by_id(request->process_id);
-		if (!process_handle || !process_handle.is_alive())
 		{
-			debug_log("Bad process\n");
+			debug_log("Pid: %d | Address: %p\n", r.process_id, r.target_address);
-			return;
-		}
 
-		const auto name = process_handle.get_image_filename();
+			const auto process_handle = process::find_process_by_id(r.process_id);
-		if (name)
+			if (!process_handle || !process_handle.is_alive())
-		{
+			{
-			debug_log("Attaching to %s\n", name);
+				debug_log("Bad process\n");
-		}
+				return;
+			}
 
-		//process::scoped_process_attacher attacher{process_handle};
+			const auto name = process_handle.get_image_filename();
-		//debug_log("Original: %s\n", request->target_address);
+			if (name)
+			{
+				debug_log("Attaching to %s\n", name);
+			}
+
+			debug_log("Level: %d\n", static_cast<int>(KeGetCurrentIrql()));
+
+			/*
+			auto buffer = new uint8_t[r.source_data_size];
+			if (!buffer)
+			{
+				debug_log("Failed to allocate buffer\n");
+				return;
+			}
+
+			auto destructor = utils::finally([buffer]()
+			{
+				delete[] buffer;
+			});
+
+			memcpy(buffer, r.source_data, r.source_data_size);
+			*/
+
+			process::scoped_process_attacher attacher{process_handle};
+
+			debug_log("Original: %p\n", r.target_address);
+
+			uint8_t buffer = 0xEB;
+
+			//hypervisor::get_instance()->install_ept_hook(r.target_address, buffer, r.source_data_size);
+			hypervisor::get_instance()->install_ept_hook(r.target_address, &buffer, 1);
+
+			debug_log("Done1\n");
+		});
+
+		t.join();
+		debug_log("Done\n");
 	}
 
 	_Function_class_(DRIVER_DISPATCH) NTSTATUS io_ctl_handler(
@@ -81,6 +111,7 @@ namespace
 				debug_log("Hello from the Driver!\n");
 				break;
 			case HOOK_DRV_IOCTL:
+
 				apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
 				break;
 			default:

src/runner/main.cpp

@@ -66,7 +66,13 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[])
 
 	hook_request hook_request{};
 	hook_request.process_id = _pid; //GetCurrentProcessId();
-	hook_request.target_address = (void*)0x1401644A8; //"My Message!";
+	hook_request.target_address = (void*)0x14007DCF7; //"My Message!";
+
+	uint8_t buffer[1];
+	buffer[0] = 0xEB;
+
+	hook_request.source_data = buffer;
+	hook_request.source_data_size = 1;
 
 	input.assign(reinterpret_cast<uint8_t*>(&hook_request),
 	             reinterpret_cast<uint8_t*>(&hook_request) + sizeof(hook_request));