From e2f73e0aeb400eba5c15a14e3a3279b45b315b49 Mon Sep 17 00:00:00 2001
From: momo5502 <mauriceheumann@gmail.com>
Date: Thu, 14 Apr 2022 20:47:40 +0200
Subject: [PATCH] More progress

---
 src/driver/driver_main.cpp |  2 +-
 src/driver/ept.cpp         |  4 +---
 src/driver/hypervisor.cpp  |  5 +++++
 src/driver/hypervisor.hpp  |  2 ++
 src/driver/irp.cpp         | 26 +++++++++++++++++++++-----
 src/driver/memory.cpp      | 11 -----------
 src/driver/memory.hpp      |  2 --
 src/driver/process.cpp     | 18 +++++++++++++++++-
 src/driver/process.hpp     |  1 +
 src/runner/main.cpp        | 17 ++++++++++++-----
 10 files changed, 60 insertions(+), 28 deletions(-)

diff --git a/src/driver/driver_main.cpp b/src/driver/driver_main.cpp
index 59ae866..be9ba45 100644
--- a/src/driver/driver_main.cpp
+++ b/src/driver/driver_main.cpp
@@ -126,7 +126,7 @@ namespace
 		};
 
 		auto* target = reinterpret_cast<uint8_t*>(&NtCreateFile);
-		if (memcmp(target, fixup, sizeof(fixup)))
+		if (memcmp(target, fixup, sizeof(fixup)) != 0)
 		{
 			debug_log("Fixup is invalid\n");
 			return nullptr;
diff --git a/src/driver/ept.cpp b/src/driver/ept.cpp
index e7c76e9..66c38ef 100644
--- a/src/driver/ept.cpp
+++ b/src/driver/ept.cpp
@@ -106,9 +106,7 @@ namespace vmx
 		}
 	}
 
-	ept::ept()
-	{
-	}
+	ept::ept() = default;
 
 	ept::~ept()
 	{
diff --git a/src/driver/hypervisor.cpp b/src/driver/hypervisor.cpp
index fe2ea9b..c49e7d6 100644
--- a/src/driver/hypervisor.cpp
+++ b/src/driver/hypervisor.cpp
@@ -192,6 +192,11 @@ void hypervisor::disable_all_ept_hooks() const
 	});
 }
 
+hypervisor* hypervisor::get_instance()
+{
+	return instance;
+}
+
 void hypervisor::enable()
 {
 	const auto cr3 = __readcr3();
diff --git a/src/driver/hypervisor.hpp b/src/driver/hypervisor.hpp
index 486bd50..589c3b0 100644
--- a/src/driver/hypervisor.hpp
+++ b/src/driver/hypervisor.hpp
@@ -22,6 +22,8 @@ public:
 	bool install_ept_hook(void* destination, const void* source, size_t length);
 	void disable_all_ept_hooks() const;
 
+	static hypervisor* get_instance();
+
 private:
 	uint32_t vm_state_count_{0};
 	vmx::state** vm_states_{nullptr};
diff --git a/src/driver/irp.cpp b/src/driver/irp.cpp
index d10bdfd..e0cc27b 100644
--- a/src/driver/irp.cpp
+++ b/src/driver/irp.cpp
@@ -7,6 +7,8 @@
 
 #include <irp_data.hpp>
 
+#include "process.hpp"
+
 namespace
 {
 	_Function_class_(DRIVER_DISPATCH) NTSTATUS not_supported_handler(PDEVICE_OBJECT /*device_object*/, const PIRP irp)
@@ -40,12 +42,26 @@ namespace
 		const auto aligned_address = address & (PAGE_SIZE - 1);
 		const auto offset = address - aligned_address;
 
-		debug_log("Original: %s\n", request->target_address);
+		debug_log("Pid: %d | Address: %p\n", request->process_id, request->target_address);
 
-		static uint8_t buffer[PAGE_SIZE * 2]{0};
-		memory::query_process_physical_page(request->process_id, reinterpret_cast<void*>(aligned_address), buffer);
+		auto current_proc = process::get_current_process();
+		if (current_proc)
+		{
+			debug_log("Current: %p\n", current_proc.get_id());
+		}
 
-		debug_log("Data: %s\n", buffer + offset);
+		//debug_log("Current: %lld\n",PsGetCurrentProcessId());
+
+		/*const auto process_handle = process::find_process_by_id(request->process_id);
+		if(process_handle && process_handle.is_alive())
+		{
+			debug_log("Bad process\n");
+			return;
+		}
+
+		process::scoped_process_attacher attacher{process_handle};
+
+		debug_log("Original: %s\n", request->target_address);*/
 	}
 
 	_Function_class_(DRIVER_DISPATCH) NTSTATUS io_ctl_handler(
@@ -68,7 +84,7 @@ namespace
 				debug_log("Hello from the Driver!\n");
 				break;
 			case HOOK_DRV_IOCTL:
-				//apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
+				apply_hook(static_cast<hook_request*>(irp_sp->Parameters.DeviceIoControl.Type3InputBuffer));
 				break;
 			default:
 				debug_log("Invalid IOCTL Code: 0x%X\n", ioctr_code);
diff --git a/src/driver/memory.cpp b/src/driver/memory.cpp
index fc904b9..65b8629 100644
--- a/src/driver/memory.cpp
+++ b/src/driver/memory.cpp
@@ -112,15 +112,4 @@ namespace memory
 		copy_address.PhysicalAddress.QuadPart = static_cast<int64_t>(address);
 		MmCopyMemory(destination, copy_address, length,  MM_COPY_MEMORY_PHYSICAL, &result);
 	}
-
-	uint64_t query_process_physical_page(const uint32_t process_id, void* address,
-	                                             uint8_t buffer[PAGE_SIZE])
-	{
-		const auto process_handle = process::find_process_by_id(process_id);
-
-		process::scoped_process_attacher attacher{process_handle};
-
-		memcpy(buffer, address, PAGE_SIZE);
-		return get_physical_address(address);
-	}
 }
diff --git a/src/driver/memory.hpp b/src/driver/memory.hpp
index a729606..4d2753e 100644
--- a/src/driver/memory.hpp
+++ b/src/driver/memory.hpp
@@ -25,8 +25,6 @@ namespace memory
 
 	void copy_physical_data(uint64_t address, void* destination, size_t length);
 
-	uint64_t query_process_physical_page(uint32_t process_id, void* address, uint8_t buffer[PAGE_SIZE]);
-
 	template <typename T, typename... Args>
 	T* allocate_aligned_object(Args ... args)
 	{
diff --git a/src/driver/process.cpp b/src/driver/process.cpp
index e468f96..ba375fd 100644
--- a/src/driver/process.cpp
+++ b/src/driver/process.cpp
@@ -47,12 +47,27 @@ namespace process
 
 	bool process_handle::is_alive() const
 	{
+		if(!this->handle_)
+		{
+			return false;
+		}
+
 		LARGE_INTEGER zero_time{};
 		zero_time.QuadPart = 0;
 
 		return KeWaitForSingleObject(this->handle_, Executive, KernelMode, FALSE, &zero_time) != STATUS_WAIT_0;
 	}
 
+	HANDLE process_handle::get_id() const
+	{
+		if(!this->handle_)
+		{
+			return 0;
+		}
+
+		PsGetProcessId(this->handle_);
+	}
+
 	const char* process_handle::get_image_filename() const
 	{
 		if (!this->handle_)
@@ -77,7 +92,8 @@ namespace process
 	process_handle find_process_by_id(const uint32_t process_id)
 	{
 		PEPROCESS process{};
-		if (PsLookupProcessByProcessId(HANDLE(process_id), &process) != STATUS_SUCCESS)
+		const uint64_t process_id_long = process_id;
+		if (PsLookupProcessByProcessId(HANDLE(process_id_long), &process) != STATUS_SUCCESS)
 		{
 			return {};
 		}
diff --git a/src/driver/process.hpp b/src/driver/process.hpp
index 3efaa55..3aa750c 100644
--- a/src/driver/process.hpp
+++ b/src/driver/process.hpp
@@ -19,6 +19,7 @@ namespace process
 		operator PEPROCESS() const;
 
 		bool is_alive() const;
+		HANDLE get_id() const;
 
 		const char* get_image_filename() const;
 
diff --git a/src/runner/main.cpp b/src/runner/main.cpp
index 55129a7..5710099 100644
--- a/src/runner/main.cpp
+++ b/src/runner/main.cpp
@@ -1,3 +1,5 @@
+#include <iostream>
+
 #include "std_include.hpp"
 #include "finally.hpp"
 #include "driver.hpp"
@@ -52,11 +54,17 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[])
 
 	(void)driver_device.send(HELLO_DRV_IOCTL, input);
 
-	MessageBoxA(0, "Service started!", 0, 0);
-	/*
+	std::string pid;
+
+	std::cout << "Please, enter the pid: ";
+	std::getline(std::cin, pid);
+
+	int _pid = atoi(pid.data());
+	printf("Pid was : %d\n", _pid);
+
 	hook_request hook_request{};
-	hook_request.process_id = GetCurrentProcessId();
-	hook_request.target_address = "My Message!";
+	hook_request.process_id = _pid; //GetCurrentProcessId();
+	hook_request.target_address = (void*)0x1401644A8; //"My Message!";
 
 	input.assign(reinterpret_cast<uint8_t*>(&hook_request),
 	             reinterpret_cast<uint8_t*>(&hook_request) + sizeof(hook_request));
@@ -64,7 +72,6 @@ void unsafe_main(const int /*argc*/, char* /*argv*/[])
 	(void)driver_device.send(HOOK_DRV_IOCTL, input);
 
 	MessageBoxA(0, "Press ok to exit!", 0, 0);
-	*/
 }
 
 int main(const int argc, char* argv[])